Operating System

OS_AUTORUNS_REP

Response from an os_autoruns request.

Platforms:

Sample Event:

{
  "TIMESTAMP": 1456194620,
  "AUTORUNS": [
    {
      "REGISTRY_KEY": "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\VMware User Process",
      "FILE_PATH": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr",
      "HASH": "036608644e3c282efaac49792a2bb2534df95e859e2ddc727cd5d2e764133d14"
    },
    {
      "REGISTRY_KEY": "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\RoccatTyonW",
      "FILE_PATH": "\"C:\\Program Files (x86)\\ROCCAT\\Tyon Mouse\\TyonMonitorW.EXE\"",
      "HASH": "7d601591625d41aecfb40b4fc770ff6d22094047216c4a3b22903405281e32e1"
    },
    { "..." : "..." }
  ]
}

OS_DRIVERS_REP

Response from an os_drivers request.

Platforms:

Sample Event:

{
  "SVCS": [
    {
      "PROCESS_ID": 0,
      "SVC_TYPE": 1,
      "SVC_NAME": "1394ohci",
      "SVC_STATE": 1,
      "HASH": "9ecf6211ccd30273a23247e87c31b3a2acda623133cef6e9b3243463c0609c5f",
      "SVC_DISPLAY_NAME": "1394 OHCI Compliant Host Controller",
      "EXECUTABLE": "\\SystemRoot\\System32\\drivers\\1394ohci.sys"
    },
    {
      "PROCESS_ID": 0,
      "SVC_TYPE": 1,
      "SVC_NAME": "3ware",
      "SVC_STATE": 1,
      "SVC_DISPLAY_NAME": "3ware",
      "EXECUTABLE": "System32\\drivers\\3ware.sys"
    },
    { "..." : "..." }
  ]
}

OS_KILL_PROCESS_REP

Response from an os_kill_process request.

Platforms:

Sample Event:

{
  "ERROR": 0,
  "PROCESS_ID": 579
}

OS_PACKAGES_REP

List of packages installed on the system. This is currently Windows only but will be expanded to MacOS and Linux in the future. It is a response generated by the os_packages command.

Platforms:

Sample Event:

"PACKAGES": [
  {
    "PACKAGE_NAME": "Microsoft Windows Driver Development Kit Uninstall - 3790.1830"
  },
  {
    "PACKAGE_VERSION": "1.1.40219",
    "PACKAGE_NAME": "Microsoft Help Viewer 1.1"
  },
  {
    "PACKAGE_VERSION": "10.0.40219",
    "PACKAGE_NAME": "Microsoft Team Foundation Server 2010 Object Model - ENU"
  },
  { "..." : "..." }
]

OS_PROCESSES_REP

Response from an os_process request.

Platforms:

Sample Event:

{
  "MODULES": 0,
  "PROCESSES": [
    {
      "COMMAND_LINE": "/sbin/init",
      "FILE_PATH": "/usr/lib/systemd/systemd",
      "HASH": "477209848fabcaf52c060d98287f880845cb07fc9696216dbcfe9b6ea8e72bcd",
      "MEMORY_USAGE": 13389824,
      "PARENT_PROCESS_ID": 0,
      "PROCESS_ID": 1,
      "THREADS": 1,
      "USER_ID": 0,
      "USER_NAME": "root",
      "this": "211e57d39796d0f0a3e46407659edfa2"
    },
    {
      "FILE_PATH": "kthreadd",
      "PARENT_PROCESS_ID": 0,
      "PROCESS_ID": 2,
      "THREADS": 1,
      "USER_ID": 0,
      "USER_NAME": "root",
      "this": "d5c390887102d722103affc2659edfa2"
    },
    {
      "FILE_PATH": "rcu_gp",
      "PARENT_PROCESS_ID": 2,
      "PROCESS_ID": 3,
      "THREADS": 1,
      "USER_ID": 0,
      "USER_NAME": "root",
      "this": "8d3273e9372fb4c521ecc95e659edfa2"
    },
    {
      "FILE_PATH": "rcu_par_gp",
      "PARENT_PROCESS_ID": 2,
      "PROCESS_ID": 4,
      "THREADS": 1,
      "USER_ID": 0,
      "USER_NAME": "root",
      "this": "0612e8123f130c9fef3276c3659edfa2"
    }
    { "..." : "..." }
  ]
}

OS_RESUME_REP

Response from an os_resume request.

Platforms:

OS_SERVICES_REP

Response from an os_services request.

Platforms:

Sample Event:

{
  "SVCS": [
    {
      "PROCESS_ID": 0,
      "SVC_TYPE": 32,
      "DLL": "%SystemRoot%\\System32\\AJRouter.dll",
      "SVC_NAME": "AJRouter",
      "SVC_STATE": 1,
      "HASH": "a09ae69c9de2f3765417f212453b6927c317a94801ae68fba6a8e8a7cb16ced7",
      "SVC_DISPLAY_NAME": "AllJoyn Router Service",
      "EXECUTABLE": "%SystemRoot%\\system32\\svchost.exe -k LocalService"
    },
    {
      "PROCESS_ID": 0,
      "SVC_TYPE": 16,
      "SVC_NAME": "ALG",
      "SVC_STATE": 1,
      "HASH": "f61055d581745023939c741cab3370074d1416bb5a0be0bd47642d5a75669e12",
      "SVC_DISPLAY_NAME": "Application Layer Gateway Service",
      "EXECUTABLE": "%SystemRoot%\\System32\\alg.exe"
    },
    { "..." : "..." }
  ]
}

OS_SUSPEND_REP

Response from an os_suspend request.

Platforms:

OS_USERS_REP

Response from an os_users request.

Platforms:

Sample Event:

{
  "USERS": [
    {
      "ACCT_EXPIRES": 4294967295,
      "CODE_PAGE": 0,
      "COMMENT": "",
      "COUNTRY_CODE": 0,
      "FULL_NAME": "",
      "HOME_DIR": "",
      "LAST_LOGON": 1686711873,
      "PASSWORD_AGE": 18225821,
      "SCRIPT_PATH": "",
      "SECURITY_ID": "S-1-5-21-910996669-4148394189-3692947099-500",
      "USER_FLAGS": 4295033347,
      "USER_NAME": "Administrator"
    },
    {
      "ACCT_EXPIRES": 4294967295,
      "CODE_PAGE": 0,
      "COMMENT": "",
      "COUNTRY_CODE": 0,
      "FULL_NAME": "",
      "HOME_DIR": "",
      "LAST_LOGON": 0,
      "PASSWORD_AGE": 0,
      "SCRIPT_PATH": "",
      "SECURITY_ID": "S-1-5-21-910996669-4148394189-3692947099-503",
      "USER_FLAGS": 4295033379,
      "USER_NAME": "DefaultAccount"
    },
    {
      "ACCT_EXPIRES": 4294967295,
      "CODE_PAGE": 0,
      "COMMENT": "",
      "COUNTRY_CODE": 0,
      "FULL_NAME": "",
      "HOME_DIR": "",
      "LAST_LOGON": 0,
      "PASSWORD_AGE": 0,
      "SCRIPT_PATH": "",
      "SECURITY_ID": "S-1-5-21-910996669-4148394189-3692947099-501",
      "USER_FLAGS": 4295033443,
      "USER_NAME": "Guest"
    },
    { ... } , { ... }
  ]
}

OS_VERSION_REP

Response from an os_version request.

Platforms:

Sample Event:

{
  "BUILD_NUMBER": 20348,
  "FRIENDLY": {
    "EDITION": "ServerDatacenter",
    "PRODUCT": "Windows Server 2022 Datacenter",
    "RELEASE": "2009"
  },
  "PRODUCT_TYPE": 3,
  "SERVICE_PACK": {
    "VERSION_MAJOR": 0,
    "VERSION_MINOR": 0
  },
  "SUITE": 400,
  "VERSION_MAJOR": 10,
  "VERSION_MINOR": 0
}