Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Profile Options Reference

This document provides a comprehensive reference for all profile configuration options available in sus TOML profile files.

Note: This documentation is auto-generated from the source code. Run make docs to regenerate.

Overview

Profiles are TOML configuration files that define how files should be analyzed. They can include:

  • Pattern matching rules (string, regex, bytes)
  • YARA-X rules for malware detection
  • Content decoding options
  • File size limits
  • Path include/exclude globs
  • Custom SQL signatures

Profile Location

By default, sus looks for profile.toml in the current directory. You can specify a different profile with --profile:

sus /data --profile /path/to/custom.toml

Basic Structure

# Include other profiles (optional)
includes = ["base.toml", "security.toml"]

# Content decoding options
decode = ["base64", "hex", "percent-encoding", "html-entity", "unicode-escape-sequences"]

# Maximum file size to analyze (in bytes)
max-file-size = 104857600  # 100 MiB

# Glob patterns for including files
include-path-globs = ["**/*.jar", "**/*.war"]

# Glob patterns for excluding files
exclude-path-globs = ["**/node_modules/**", "**/vendor/**"]

# Default tag for files
tag = "default"

# Pattern definitions
[[patterns]]
  name = "Pattern Name"
  pattern = "pattern-string"
  type = "string"  # or "regex" or "bytes"
  case-insensitive = false  # optional, default: false

# YARA rule directories
yara-x-rules = ["./yara-rules/"]

# Custom SQL signatures
[[signatures]]
  name = "Signature Name"
  query = "SELECT sha256 FROM unique_files WHERE condition"

Top-Level Options

includes

Include other profile files, which will be merged with the current profile.

includes = ["base.toml", "security.toml"]
  • Relative paths are resolved relative to the profile file's directory
  • Circular dependencies are detected and prevented
  • All included profiles are merged with automatic deduplication

decode

Content decoding options to apply during analysis.

decode = ["base64", "hex", "percent-encoding", "html-entity", "unicode-escape-sequences"]
ValueDescription
base64Decode Base64-encoded content
hexDecode hexadecimal-encoded content
percent-encodingDecode URL percent-encoded content (e.g., %20)
html-entityDecode HTML entities (e.g., &)
unicode-escape-sequencesDecode Unicode escape sequences (e.g., \u0041)

max-file-size

Maximum file size to analyze, in bytes.

max-file-size = 104857600  # 100 MiB

Files larger than this size will be skipped during analysis.

include-path-globs

Glob patterns for including files. Only files matching at least one pattern will be analyzed.

include-path-globs = ["**/*.jar", "**/*.war", "**/*.class"]

exclude-path-globs

Glob patterns for excluding files. Files matching any pattern will be skipped.

exclude-path-globs = ["**/node_modules/**", "**/vendor/**", "**/.git/**"]

tag

Default tag to apply to files analyzed with this profile.

tag = "production"

yara-x-rules

Directories containing YARA-X rule files (.yar or .yara extension).

yara-x-rules = ["./yara-rules/", "/shared/yara/"]

Pattern Definitions

Patterns are defined using the [[patterns]] array table syntax.

Pattern Fields

FieldTypeRequiredDescription
namestringYesHuman-readable name for the pattern
patternstringYesThe pattern to match
typestringYesPattern type: string, regex, or bytes
case-insensitivebooleanNoCase-insensitive matching (default: false)

Pattern Types

String Patterns

Literal string matching:

[[patterns]]
  name = "Private Key Header"
  pattern = "-----BEGIN PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "Password Reference"
  pattern = "password"
  type = "string"
  case-insensitive = true

Regex Patterns

Regular expression matching:

[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "Email Address"
  pattern = "[a-z0-9._%+-]+@[a-z0-9.-]+\\.[a-z]{2,}"
  type = "regex"
  case-insensitive = true

Bytes Patterns

Hexadecimal byte patterns:

# PDF file signature
[[patterns]]
  name = "PDF Header"
  pattern = "25:50:44:46"  # %PDF in hex
  type = "bytes"

# PNG file signature
[[patterns]]
  name = "PNG Header"
  pattern = "89:50:4E:47:0D:0A:1A:0A"
  type = "bytes"

Signature Definitions

Signatures are custom SQL queries executed against the analysis database.

Signature Fields

FieldTypeRequiredDescription
namestringYesHuman-readable name for the signature
querystringYesSQL SELECT query to execute

Signature Rules

  • Queries must start with SELECT
  • Queries must reference at least one valid table: unique_files, files, pattern_matches, or analysis
  • Dangerous SQL keywords are not allowed: DROP, DELETE, INSERT, UPDATE, ALTER, CREATE, TRUNCATE, EXEC, EXECUTE, PRAGMA

Available Tables for Signatures

unique_files

ColumnTypeDescription
sha256TEXTSHA-256 hash (primary key)
sha1TEXTSHA-1 hash
md5TEXTMD5 hash
file_sizeINTEGERFile size in bytes
mime_type_for_contentTEXTMIME type based on content
shannon_entropyREALShannon entropy value

files

ColumnTypeDescription
pathTEXTFile path (primary key)
file_nameTEXTFile name
sha256TEXTSHA-256 hash
file_createdTEXTCreation timestamp
file_modifiedTEXTModification timestamp
file_accessedTEXTAccess timestamp
mime_types_from_file_extensionTEXTMIME types from extension
is_symbolic_linkINTEGERWhether file is a symlink
is_extracted_fileINTEGERWhether file was extracted
is_decoded_fileINTEGERWhether file was decoded
tagTEXTTag assigned to file

pattern_matches

ColumnTypeDescription
idINTEGERMatch ID (primary key)
sha256TEXTSHA-256 hash of matched file
pattern_nameTEXTName of matching pattern
match_typeTEXTType of match
matchTEXTMatched content
locationTEXTLocation of match
lengthINTEGERLength of match

analysis

ColumnTypeDescription
sha256TEXTSHA-256 hash (primary key)
notesTEXTAnalysis notes
is_suspiciousINTEGERWhether file is suspicious
tagsTEXTTags assigned to file

Signature Examples

[[signatures]]
  name = "High Entropy Files"
  query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.5"

[[signatures]]
  name = "Large Suspicious Files"
  query = "SELECT sha256 FROM unique_files WHERE file_size > 1000000 AND sha256 IN (SELECT sha256 FROM analysis WHERE is_suspicious = 1)"

[[signatures]]
  name = "Files with SQL Injection"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name = 'SQL Statement'"

[[signatures]]
  name = "Files by Tag"
  query = "SELECT path FROM files WHERE tag = 'production'"

Profile Merging

When multiple profiles are specified, they are merged with automatic deduplication:

Via Command Line

sus /data --profile base.toml --profile security.toml --profile custom.toml

Via Includes

# main.toml
includes = ["base.toml", "security.toml"]

[[patterns]]
  name = "Additional Pattern"
  pattern = "custom"
  type = "string"

Merging Rules

FieldMerge Behavior
patternsDeduplicated based on type, pattern, and case-sensitivity
yara-x-rulesDeduplicated by path
decodeUnique decode methods are combined
signaturesDeduplicated by name and query
max-file-sizeUses the minimum value across all profiles
tagUses the first profile's tag
include-path-globsUses the first non-empty glob set
exclude-path-globsUses the first non-empty glob set

Command Execution

Profiles can define command groups to execute during analysis. Each group contains inline commands with shared settings for OS/architecture filtering, error handling, and execution targets.

Basic Command Group

[[commands]]
  name = "System Information"
  ignore-errors = true
    [[commands.commands]]
      command = "uname -a"

Group-Level Options

OptionTypeDescription
nameStringHuman-readable name for the group
enabledBooleanWhether this group is enabled (default: true)
osArrayOperating systems to run on (e.g., ["linux", "windows", "macos"])
archArrayCPU architectures to run on (e.g., ["x86-64", "aarch64"])
ignore-errorsBooleanContinue if commands fail (default: false)
targetStringExecution target: "local" (default), "agent", or "controller"
envArrayEnvironment variables as ["KEY", "value"] pairs
working-dirStringWorking directory for command execution
matrixTableOptional matrix definition for running across combinations

Command Entry Options

OptionTypeDescription
commandStringThe command to execute (required)
nameStringOptional name (defaults to command string)
ignore-errorsBooleanOverride group's ignore-errors setting
envArrayAdditional environment variables (merged with group env)
working-dirStringOverride group's working directory

OS and Architecture Filtering

Groups can be filtered by operating system and CPU architecture:

# Windows-only group
[[commands]]
  name = "Windows System Info"
  os = ["windows"]
  ignore-errors = true
    [[commands.commands]]
      command = "systeminfo"

# Linux and macOS group
[[commands]]
  name = "Unix System Info"
  os = ["linux", "macos"]
    [[commands.commands]]
      command = "uname -a"

# Architecture-specific group
[[commands]]
  name = "x86_64 Only"
  arch = ["x86-64"]
    [[commands.commands]]
      command = "echo 'Running on x86_64'"

Environment Variables and Working Directory

Group-level env vars are inherited by all commands. Per-command env vars are merged on top.

[[commands]]
  name = "Custom Environment"
  os = ["linux", "macos"]
  env = [["MY_VAR", "custom_value"]]
  working-dir = "/tmp"
  ignore-errors = true
    [[commands.commands]]
      command = "echo $MY_VAR"
    [[commands.commands]]
      command = "printenv MY_VAR"
      env = [["EXTRA_VAR", "extra"]]

Inline Command Groups

Related commands are naturally grouped together within a [[commands]] entry:

[[commands]]
  name = "Hardware Info"
  os = ["linux"]
  ignore-errors = true
    [[commands.commands]]
      command = "lscpu"
    [[commands.commands]]
      command = "free -h"
    [[commands.commands]]
      command = "df -h"

Command Matrix

Define a matrix to run all commands in the group across multiple parameter combinations:

[[commands]]
  name = "Cross-Platform Check"
  ignore-errors = true
    [commands.matrix]
      os = ["linux", "windows"]
      arch = ["x86-64", "aarch64"]
    [[commands.commands]]
      command = "echo 'Platform-specific check'"
    [[commands.commands]]
      command = "hostname"

Execution Targets

Commands can target different execution environments:

# Run locally (default)
[[commands]]
  name = "Local Analysis"
  target = "local"
    [[commands.commands]]
      command = "python analyze.py"

# Run on remote agent
[[commands]]
  name = "Agent Collection"
  target = "agent"
    [[commands.commands]]
      command = "collect-logs.sh"

# Run on controller
[[commands]]
  name = "Controller Aggregation"
  target = "controller"
    [[commands.commands]]
      command = "aggregate-results.sh"

Complete Command Example

# Cross-platform hostname
[[commands]]
  name = "Hostname"
  ignore-errors = true
    [[commands.commands]]
      command = "hostname"

# Linux-specific diagnostics
[[commands]]
  name = "Linux Diagnostics"
  os = ["linux"]
  ignore-errors = true
    [[commands.commands]]
      command = "lscpu"
    [[commands.commands]]
      command = "free -h"
    [[commands.commands]]
      command = "df -h"

# macOS-specific diagnostics
[[commands]]
  name = "macOS Diagnostics"
  os = ["macos"]
  ignore-errors = true
    [[commands.commands]]
      command = "sysctl -n machdep.cpu.brand_string"
    [[commands.commands]]
      command = "df -h"

# Matrix-based diagnostics
[[commands]]
  name = "Cross-Platform Matrix"
  ignore-errors = true
    [commands.matrix]
      os = ["linux"]
      arch = ["x86-64", "aarch64"]
    [[commands.commands]]
      command = "uname -m"
    [[commands.commands]]
      command = "echo 'Platform check'"

Complete Example

# security-audit.toml - Complete security audit profile

includes = ["base.toml"]

decode = ["base64", "hex", "percent-encoding"]

max-file-size = 52428800  # 50 MiB

include-path-globs = ["**/*.java", "**/*.py", "**/*.js", "**/*.rb"]
exclude-path-globs = ["**/node_modules/**", "**/vendor/**", "**/.git/**"]

tag = "security-audit"

yara-x-rules = ["./yara-rules/malware/", "./yara-rules/credentials/"]

# AWS Credentials
[[patterns]]
  name = "AWS Access Key"
  pattern = "AKIA[0-9A-Z]{16}"
  type = "regex"

[[patterns]]
  name = "AWS Secret Key"
  pattern = "(?i)aws(.{0,20})?['\"][0-9a-zA-Z/+]{40}['\"]"
  type = "regex"

# Private Keys
[[patterns]]
  name = "RSA Private Key"
  pattern = "-----BEGIN RSA PRIVATE KEY-----"
  type = "string"

[[patterns]]
  name = "Generic Private Key"
  pattern = "-----BEGIN PRIVATE KEY-----"
  type = "string"

# Passwords
[[patterns]]
  name = "Password Assignment"
  pattern = "(password|passwd|pwd)\\s*=\\s*['\"][^'\"]+['\"]"
  type = "regex"
  case-insensitive = true

# API Keys
[[patterns]]
  name = "Generic API Key"
  pattern = "api[_-]?key\\s*=\\s*['\"][^'\"]+['\"]"
  type = "regex"
  case-insensitive = true

# Signatures
[[signatures]]
  name = "High Entropy Files (Possible Encrypted/Compressed)"
  query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.5"

[[signatures]]
  name = "Large Files with Pattern Matches"
  query = "SELECT DISTINCT u.sha256 FROM unique_files u JOIN pattern_matches p ON u.sha256 = p.sha256 WHERE u.file_size > 100000"

See Also

Overview

This document summarises the new profiles added to sus inspired by UAC (Unix-like Artifacts Collector) and KAPE (Kroll Artifact Parser and Extractor), along with features that would enhance sus to match these tools' capabilities.

Base Profiles (3 new)

  1. forensics.toml (31 patterns)

    • Windows forensic artifacts (event logs, prefetch, registry, ShimCache, Amcache)
    • Browser artifacts (history, cookies, cache, downloads)
    • Unix/Linux artifacts (bash history, auth logs, syslog, wtmp/utmp)
    • Memory dumps and hibernation files
    • Email artifacts (PST, OST, EML, MBOX)
    • File system artifacts (VSS, Recycle Bin, Thumbs.db)
    • Timeline and timestamp patterns

  2. system-artifacts.toml (29 patterns)

    • Windows system files and configurations (INI, policies, scheduled tasks)
    • Unix/Linux configs (crontab, systemd, init scripts, passwd/shadow)
    • Log files (application, event, IIS, Apache/Nginx, audit logs)
    • User activity (profiles, Desktop, AppData, temp directories)
    • Network configuration (hosts file, interfaces, resolv.conf)
    • Startup and autorun locations

  3. browser-artifacts.toml (35 patterns)

    • Chrome/Chromium (history, cookies, login data, bookmarks, extensions, cache)
    • Firefox (places.sqlite, cookies, downloads, logins, bookmarks, cache)
    • Edge (history, cookies, WebCache)
    • Internet Explorer (WebCache, index.dat)
    • Safari (history, cookies, cache)
    • Browser sessions, downloads, search queries
    • Extension artifacts, Flash cookies
    • Saved passwords, form autofill, credit card data
    • Private browsing indicators

Composite Profiles (3 new)

  1. forensic-investigation.toml

    • Combines: forensics + system-artifacts + browser-artifacts + malware + network
    • Additional patterns for evidence files, forensic images, timelines, case files
    • Comprehensive forensic artifact collection similar to KAPE's "!SANS_Triage" target

  2. live-response.toml

    • Combines: system-artifacts + malware + network
    • Focus on volatile data: running processes, active connections, logged-in users
    • Memory artifacts, command history, volatile registry keys
    • Live malware indicators (suspicious processes, rootkits, injected code)
    • Similar to UAC's live response collection

  3. windows-forensics.toml

    • Combines: forensics + system-artifacts + browser-artifacts
    • Windows-specific patterns: registry paths, event IDs, execution artifacts
    • Prefetch, AppCompatCache, BAM/DAM, Windows Timeline
    • NTFS features (ADS, Zone.Identifier, USN Journal)
    • Network profiles, application artifacts, security artifacts
    • Modeled after KAPE's Windows compound targets

Statistics

New Content:

  • 3 new base profiles with 95 total patterns
  • 3 new composite profiles
  • 3 test file suites
  • Total profiles now: 15 (9 base + 6 composite)
  • Total patterns across all profiles: 227+

Coverage:

  • Windows forensics: Comprehensive
  • Linux/Unix forensics: Good coverage
  • Browser forensics: All major browsers
  • Live response: Volatile data focus
  • System artifacts: Configuration and logs

3. Timeline Generation ⭐ MEDIUM PRIORITY

Current State: No timeline functionality UAC/KAPE Feature: Automatic timeline creation from artefacts Recommendation:

  • Extract timestamps from all artefacts
  • Generate CSV/JSON timeline output
  • Support for Plaso/log2timeline format integration
  • Timeline visualisation in web UI

4. Live Response Capabilities ⭐ MEDIUM PRIORITY

Current State: Limited to file analysis UAC Feature: Collects live system state Recommendation:

  • Add --live-response mode to capture:
    • Running processes (with command lines, PIDs, parent PIDs)
    • Network connections (netstat equivalent)
    • Loaded drivers/modules
    • Open files/handles
    • Environment variables
    • System information (uptime, logged-in users)

5. Memory Analysis Integration ⭐ LOW PRIORITY

Current State: Can detect memory dumps but not analyse them KAPE Feature: Memory module integration Recommendation:

  • Integrate with Volatility or similar tools
  • Extract strings from memory dumps
  • Identify processes, network connections, loaded DLLs
  • Detect memory-resident malware

6. Registry Parser Integration ⭐ HIGH PRIORITY

Current State: sus has registry.rs but basic parsing KAPE Feature: Comprehensive registry parsing Recommendation:

  • Enhanced registry parsing for forensic artefacts:
    • UserAssist (program execution tracking)
    • ShimCache/AppCompatCache (detailed parsing)
    • Amcache (application inventory)
    • BAM/DAM (background activity monitor)
    • RecentDocs, MRU lists
    • Network history
    • USB device history
  • Export parsed data to structured format (CSV, JSON)

7. Event Log Parsing ⭐ MEDIUM PRIORITY

Current State: Can detect .evtx files but not parse KAPE Feature: Event log parsing and filtering Recommendation:

  • Parse Windows Event Logs (.evtx)
  • Filter by Event ID, source, level
  • Extract key security events (logon/logoff, account changes, etc.)
  • Generate event summary reports

8. Evidence Integrity ⭐ HIGH PRIORITY

Current State: Basic file hashing UAC/KAPE Feature: Chain of custody, integrity verification Recommendation:

  • Generate evidence hash manifests
  • Sign collected artifacts
  • Chain of custody logging
  • Tamper detection
  • Support for forensic image formats

10. Automated Reporting ⭐ LOW PRIORITY

Current State: Web UI for browsing, SQLite database UAC/KAPE Feature: Automated report generation Recommendation:

  • Generate HTML/PDF forensic reports
  • Executive summary sections
  • Artifact inventory
  • Timeline views
  • IOC extraction
  • Recommendations for further investigation

11. Artifact Age Filtering ⭐ LOW PRIORITY

Current State: No time-based filtering KAPE Feature: Collect artefacts modified within timeframe Recommendation:

  • --modified-after and --modified-before options
  • Focus on recent activity (last 7 days, 30 days, etc.)
  • Reduce collection scope for large systems

12. Remote Collection ⭐ MEDIUM PRIORITY

Current State: Agent mode exists but limited UAC Feature: Remote artifact collection Recommendation:

  • Enhance agent mode for forensic collection
  • Support for network share collection (UNC paths, SMB)
  • Remote registry access
  • WMI/PowerShell remoting integration

13. Volume Shadow Copy (VSS) Support ⭐ MEDIUM PRIORITY

Current State: Can detect VSS but not access KAPE Feature: VSS enumeration and extraction Recommendation:

  • Enumerate Volume Shadow Copies
  • Extract artifacts from VSS snapshots
  • Compare current vs. shadow copy artifacts
  • Deleted file recovery

14. Batch Processing ⭐ LOW PRIORITY

Current State: Single directory at a time KAPE Feature: Batch target processing Recommendation:

  • Process multiple evidence sources in one run
  • Queue management for large-scale analysis
  • Parallel processing of multiple images/systems
  • Progress tracking for batch jobs

Phase 1: Core Forensic Features (Immediate)

  1. Artifact collection framework (--collect mode)
  2. Enhanced registry parsing
  3. Evidence integrity (hash manifests, chain of custody)
  4. Timeline generation

Phase 2: Live Response (Next)

  1. Live response capabilities
  2. Event log parsing
  3. Remote collection enhancements
  4. Triage scoring system

Phase 3: Advanced Features (Future)

Phase 3: Advanced Features (Future)

  1. Memory analysis integration
  2. VSS support
  3. KAPE compatibility layer
  4. Automated reporting
  5. Batch processing

Testing

All new profiles have been created with test files:

  • profiles/tests/forensics/forensic_artifacts_test.txt
  • profiles/tests/system-artifacts/system_config_test.txt
  • profiles/tests/browser-artifacts/browser_history_test.txt

These test files contain representative patterns that the profiles should detect.

Conclusion

The addition of UAC and KAPE-inspired profiles significantly enhances sus's forensic capabilities. However, to fully match these tools, sus would benefit from:

Must-Have Features:

  1. Artifact collection and preservation
  2. Enhanced registry and event log parsing
  3. Evidence integrity mechanisms
  4. Timeline generation

Nice-to-Have Features:

  1. Live response data collection
  2. KAPE target compatibility
  3. Triage scoring and automated reporting
  4. VSS support

These enhancements would position sus as a comprehensive forensic triage and analysis tool suitable for incident response, digital forensics, and security investigations.