From 74846ca62ce88020aa990811bd3e804efa72d5e0 Mon Sep 17 00:00:00 2001
From: Max Altgelt <max.altgelt@nextron-systems.com>
Date: Thu, 20 Nov 2025 12:02:50 +0100
Subject: [PATCH 1/2] fix: properly separate scheduled tasks

Scheduled tasks in some parsers were reported as at jobs,
which led to confusion and to fields for at jobs that only really
occurred in scheduled tasks.
On the other hand, scheduled tasks were missing some forensically
relevant information.
---
 thorlog/v3/atjob.go         |  7 +------
 thorlog/v3/scheduledtask.go | 36 ++++++++++++++++++++++++++++++++----
 2 files changed, 33 insertions(+), 10 deletions(-)

diff --git a/thorlog/v3/atjob.go b/thorlog/v3/atjob.go
index 67391ff..6701235 100644
--- a/thorlog/v3/atjob.go
+++ b/thorlog/v3/atjob.go
@@ -7,12 +7,7 @@ import (
 type AtJob struct {
 	jsonlog.ObjectHeader
 
-	Command   string `json:"command" textlog:"command"`
-	Start     string `json:"start" textlog:"start"`
-	User      string `json:"user" textlog:"user"`
-	RunLevel  string `json:"run_level" textlog:"runlevel"`
-	LogonType string `json:"logon_type" textlog:"logontype"`
-	Image     *File  `json:"image" textlog:"image,expand"`
+	Command string `json:"command" textlog:"command"`
 }
 
 const typeAtJob = "at job"
diff --git a/thorlog/v3/scheduledtask.go b/thorlog/v3/scheduledtask.go
index 7d3edc0..c0b7b45 100644
--- a/thorlog/v3/scheduledtask.go
+++ b/thorlog/v3/scheduledtask.go
@@ -9,10 +9,38 @@ import (
 type ScheduledTask struct {
 	LogObjectHeader
 
-	Name    string    `json:"name" textlog:"name"`
-	Path    string    `json:"path" textlog:"path"`
-	Command string    `json:"command" textlog:"command"`
-	Enabled bool      `json:"enabled" textlog:"enabled"`
+	// Name of the scheduled task.
+	Name string `json:"name" textlog:"name"`
+	// Path (within C:\Windows\System32\tasks) of this scheduled task.
+	Path string `json:"path" textlog:"path"`
+
+	// Commands executed when this scheduled task activates. Commands each include both image and arguments.
+	Commands StringList `json:"commands" textlog:"command,omitempty"`
+	// COM Handlers (as GUIDs) invoked when this scheduled task activates.
+	ComHandlers StringList `json:"com_handlers,omitempty" textlog:"com_handler,expand,omitempty"`
+
+	// Whether the scheduled task is active.
+	Enabled bool `json:"enabled" textlog:"enabled"`
+	// The trigger types when the task should be executed.
+	// Options:
+	// - Time (at a fixed time)
+	// - Calendar (regularly based on calendar)
+	// - Boot
+	// - Logon
+	// - Event (when specific events occur in the Windows Eventlog)
+	// - Registration (only when the task was initially created)
+	// - SessionStateChange (configurable on e.g. remote connection, session unlock, ...)
+	Triggers StringList `json:"triggers,omitempty" textlog:"triggers,omitempty"`
+
+	// The user (or SID) as which the scheduled task will run.
+	User string `json:"user" textlog:"user"`
+	// Logon type, options: S4U, Password, InteractiveToken
+	LogonType string `json:"logon_type" textlog:"logon_type"`
+	// Run level, options: LeastPrivilege or HighestAvailable
+	RunLevel string `json:"run_level" textlog:"run_level"`
+	// Privileges wanted by this scheduled task.
+	Privileges StringList `json:"privileges,omitempty" textlog:"privileges,omitempty"`
+
 	LastRun time.Time `json:"last_run,omitzero" textlog:"lastrun,omitempty"`
 	NextRun time.Time `json:"next_run,omitzero" textlog:"nextrun,omitempty"`
 }

From 499b11d362385e12a7c32a04664c886b43531bcc Mon Sep 17 00:00:00 2001
From: Max Altgelt <max.altgelt@nextron-systems.com>
Date: Tue, 25 Nov 2025 10:28:16 +0100
Subject: [PATCH 2/2] docs: add links to external documentations

---
 thorlog/v3/ebpf.go          | 4 ++++
 thorlog/v3/scheduledtask.go | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/thorlog/v3/ebpf.go b/thorlog/v3/ebpf.go
index 748786f..65d7e83 100644
--- a/thorlog/v3/ebpf.go
+++ b/thorlog/v3/ebpf.go
@@ -7,6 +7,10 @@ import (
 // EBPFProgram describes an eBPF program attached to a specific endpoint in the kernel.
 //
 // To use eBPF nomenclature: This struct describes an eBPF link and its corresponding program.
+// The exposed information by the kernel about links can be found at
+// https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/bpf.h?h=v6.17#n6680,
+// and program information at
+// https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/bpf.h?h=v6.17#n6610.
 //
 // eBPF programs can be attached to a wide range of things; the LinkType contains what sort of object
 // the program is attached to, and AttachTarget contains what specific object it is attached to.
diff --git a/thorlog/v3/scheduledtask.go b/thorlog/v3/scheduledtask.go
index c0b7b45..44a43e6 100644
--- a/thorlog/v3/scheduledtask.go
+++ b/thorlog/v3/scheduledtask.go
@@ -6,6 +6,10 @@ import (
 	"github.com/NextronSystems/jsonlog"
 )
 
+// ScheduledTask describes a Windows Scheduled Task.
+//
+// See also the Microsoft documentation at https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-reference
+// for more details about scheduled tasks.
 type ScheduledTask struct {
 	LogObjectHeader