diff --git a/thorlog/v3/atjob.go b/thorlog/v3/atjob.go index 67391ff..6701235 100644 --- a/thorlog/v3/atjob.go +++ b/thorlog/v3/atjob.go @@ -7,12 +7,7 @@ import ( type AtJob struct { jsonlog.ObjectHeader - Command string `json:"command" textlog:"command"` - Start string `json:"start" textlog:"start"` - User string `json:"user" textlog:"user"` - RunLevel string `json:"run_level" textlog:"runlevel"` - LogonType string `json:"logon_type" textlog:"logontype"` - Image *File `json:"image" textlog:"image,expand"` + Command string `json:"command" textlog:"command"` } const typeAtJob = "at job" diff --git a/thorlog/v3/ebpf.go b/thorlog/v3/ebpf.go index 748786f..65d7e83 100644 --- a/thorlog/v3/ebpf.go +++ b/thorlog/v3/ebpf.go @@ -7,6 +7,10 @@ import ( // EBPFProgram describes an eBPF program attached to a specific endpoint in the kernel. // // To use eBPF nomenclature: This struct describes an eBPF link and its corresponding program. +// The exposed information by the kernel about links can be found at +// https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/bpf.h?h=v6.17#n6680, +// and program information at +// https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/bpf.h?h=v6.17#n6610. // // eBPF programs can be attached to a wide range of things; the LinkType contains what sort of object // the program is attached to, and AttachTarget contains what specific object it is attached to. diff --git a/thorlog/v3/scheduledtask.go b/thorlog/v3/scheduledtask.go index 7d3edc0..44a43e6 100644 --- a/thorlog/v3/scheduledtask.go +++ b/thorlog/v3/scheduledtask.go @@ -6,13 +6,45 @@ import ( "github.com/NextronSystems/jsonlog" ) +// ScheduledTask describes a Windows Scheduled Task. +// +// See also the Microsoft documentation at https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-reference +// for more details about scheduled tasks. type ScheduledTask struct { LogObjectHeader - Name string `json:"name" textlog:"name"` - Path string `json:"path" textlog:"path"` - Command string `json:"command" textlog:"command"` - Enabled bool `json:"enabled" textlog:"enabled"` + // Name of the scheduled task. + Name string `json:"name" textlog:"name"` + // Path (within C:\Windows\System32\tasks) of this scheduled task. + Path string `json:"path" textlog:"path"` + + // Commands executed when this scheduled task activates. Commands each include both image and arguments. + Commands StringList `json:"commands" textlog:"command,omitempty"` + // COM Handlers (as GUIDs) invoked when this scheduled task activates. + ComHandlers StringList `json:"com_handlers,omitempty" textlog:"com_handler,expand,omitempty"` + + // Whether the scheduled task is active. + Enabled bool `json:"enabled" textlog:"enabled"` + // The trigger types when the task should be executed. + // Options: + // - Time (at a fixed time) + // - Calendar (regularly based on calendar) + // - Boot + // - Logon + // - Event (when specific events occur in the Windows Eventlog) + // - Registration (only when the task was initially created) + // - SessionStateChange (configurable on e.g. remote connection, session unlock, ...) + Triggers StringList `json:"triggers,omitempty" textlog:"triggers,omitempty"` + + // The user (or SID) as which the scheduled task will run. + User string `json:"user" textlog:"user"` + // Logon type, options: S4U, Password, InteractiveToken + LogonType string `json:"logon_type" textlog:"logon_type"` + // Run level, options: LeastPrivilege or HighestAvailable + RunLevel string `json:"run_level" textlog:"run_level"` + // Privileges wanted by this scheduled task. + Privileges StringList `json:"privileges,omitempty" textlog:"privileges,omitempty"` + LastRun time.Time `json:"last_run,omitzero" textlog:"lastrun,omitempty"` NextRun time.Time `json:"next_run,omitzero" textlog:"nextrun,omitempty"` }