Skip to main content

HarfangLab EDR

This Integration is part of the HarfangLab EDR Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

HarfangLab EDR Connector, Compatible version 2.13.7+ This integration was integrated and tested with version 2.13.7+ of Hurukai

Configure HarfangLab EDR on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for HarfangLab EDR.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API URLTrue
    Fetch incidentsFalse
    Incident typeFalse
    API KeyFalse
    Long running instanceFalse
    Incidents Fetch IntervalFalse
    Fetch alerts with typeComma-separated list of types of alerts to fetch (sigma, yara, hlai, vt, ransom, ioc, glimps, orion...).False
    Minimum severity of alerts to fetchTrue
    Fetch alerts with status (ACTIVE, CLOSED)False
    First fetch timeStart fetching alerts whose creation date is higher than now minus <first_fetch> days.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse

  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

test-module#

Allows to test that the HarfangLab EDR API is reachable

Base Command#

test-module

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

fetch-incidents#

Allows to retrieve incidents from the HarfangLab EDR API

Base Command#

fetch-incidents

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

harfanglab-get-endpoint-info#

Get endpoint information from agent_id

Base Command#

harfanglab-get-endpoint-info

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Optional

Context Output#

PathTypeDescription
Harfanglab.AgentunknownAgent information

Command example#

!harfanglab-get-endpoint-info agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Agent": {
"additional_info": {
"additional_info1": null,
"additional_info2": null,
"additional_info3": null,
"additional_info4": null
},
"avg_cpu": 1,
"avg_memory": 183558144,
"bitness": "x64",
"cpu_count": 2,
"cpu_frequency": 3192,
"distroid": null,
"dnsdomainname": null,
"domain": null,
"domainname": "WORKGROUP",
"driver_enabled": true,
"driver_policy": false,
"effective_policy_id": "e96699ef-3dd9-4718-90ef-c7e5646fd466",
"effective_policy_revision": 5,
"external_ipaddress": "(REDACTED)",
"firstseen": "2022-06-15T06:42:50.008015Z",
"group_count": 0,
"groups": [],
"hostname": "DC-01",
"id": "0fae71cf-ebde-4533-a50c-b3c0290378db",
"installdate": "2022/06/15 06:38:58",
"ipaddress": "(REDACTED)",
"ipmask": "(REDACTED)",
"isolation_policy": false,
"isolation_state": true,
"lastseen": "2022-07-28T07:41:32.197641Z",
"lastseen_error": "2022-07-28T07:47:02.197641Z",
"lastseen_warning": "2022-07-28T07:43:44.197641Z",
"machine_boottime": "2022-06-28T14:18:31Z",
"osbuild": 20348,
"osid": "00454-40000-00001-AA596",
"osmajor": 10,
"osminor": 0,
"osproducttype": "Windows Server 2022 Standard Evaluation",
"ostype": "windows",
"osversion": "10.0.20348",
"policy": {
"binary_download_enabled": true,
"description": "",
"hibou_minimum_level": "critical",
"hibou_mode": 0,
"hibou_skip_signed_ms": false,
"hibou_skip_signed_others": false,
"hlai_minimum_level": "critical",
"hlai_mode": 1,
"hlai_skip_signed_ms": true,
"hlai_skip_signed_others": false,
"id": "e96699ef-3dd9-4718-90ef-c7e5646fd466",
"ioc_mode": 2,
"ioc_ruleset": null,
"loglevel": "ERROR",
"name": "No psexec",
"ransomguard_alert_only": false,
"revision": 5,
"self_protection": false,
"sigma_ruleset": 1,
"sleepjitter": 10,
"sleeptime": 60,
"telemetry_alerts_limit": false,
"telemetry_alerts_limit_value": 1000,
"telemetry_log": true,
"telemetry_log_limit": false,
"telemetry_log_limit_value": 1000,
"telemetry_network": true,
"telemetry_network_limit": false,
"telemetry_network_limit_value": 1000,
"telemetry_process": true,
"telemetry_process_limit": false,
"telemetry_process_limit_value": 1000,
"telemetry_remotethread": true,
"telemetry_remotethread_limit": false,
"telemetry_remotethread_limit_value": 1000,
"tenant": null,
"use_driver": true,
"use_isolation": true,
"use_process_block": true,
"use_ransomguard": true,
"use_sigma": true,
"use_sigma_process_block": false,
"yara_mode": 1,
"yara_ruleset": null,
"yara_skip_signed_ms": true,
"yara_skip_signed_others": false
},
"producttype": "server",
"servicepack": null,
"starttime": "2022-06-28T14:18:47Z",
"status": "online",
"tenant": null,
"total_memory": 2133962752,
"uninstall_status": 0,
"update_experimental": false,
"update_status": 0,
"version": "2.15.0"
}
}
}

Human Readable Output#

Endpoint information for agent_id : 0fae71cf-ebde-4533-a50c-b3c0290378db#

additional_infoavg_cpuavg_memorybitnesscpu_countcpu_frequencydomainnamedriver_enableddriver_policyeffective_policy_ideffective_policy_revisionexternal_ipaddressfirstseengroup_counthostnameidinstalldateipaddressipmaskisolation_policyisolation_statelastseenlastseen_errorlastseen_warningmachine_boottimeosbuildosidosmajorosminorosproducttypeostypeosversionpolicyproducttypestarttimestatustotal_memoryuninstall_statusupdate_experimentalupdate_statusversion
additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null		1.0183558144.0x6423192WORKGROUPtruefalsee96699ef-3dd9-4718-90ef-c7e5646fd4665(REDACTED)2022-06-15T06:42:50.008015Z0DC-010fae71cf-ebde-4533-a50c-b3c0290378db2022/06/15 06:38:58(REDACTED)(REDACTED)falsetrue2022-07-28T07:41:32.197641Z2022-07-28T07:47:02.197641Z2022-07-28T07:43:44.197641Z2022-06-28T14:18:31Z2034800454-40000-00001-AA596100Windows Server 2022 Standard Evaluationwindows10.0.20348id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: null		server2022-06-28T14:18:47Zonline2133962752.00false02.15.0

harfanglab-endpoint-search#

Search for endpoint information from a hostname

Base Command#

harfanglab-endpoint-search

Input#

Argument NameDescriptionRequired
hostnameEndpoint hostname.Optional

Context Output#

PathTypeDescription
Harfanglab.AgentunknownAgent information.
Harfanglab.Agent.idstringagent id (DEPRECATED)
Harfanglab.statusstringStatus (DEPRECATED)

Command example#

!harfanglab-endpoint-search hostname="DC-01"

Context Example#

{
"Harfanglab": {
"Agent": {
"additional_info": {
"additional_info1": null,
"additional_info2": null,
"additional_info3": null,
"additional_info4": null
},
"avg_cpu": 0.6,
"avg_memory": 125627596,
"bitness": "x64",
"cpu_count": 2,
"cpu_frequency": 3192,
"distroid": null,
"dnsdomainname": null,
"domain": null,
"domainname": "WORKGROUP",
"driver_enabled": true,
"driver_policy": false,
"external_ipaddress": "(REDACTED)",
"firstseen": "2022-06-14T22:23:08.393381Z",
"group_count": 0,
"groups": [],
"hostname": "DC-01",
"id": "706d4524-dc2d-4438-bfef-3b620646db7f",
"installdate": "2022/06/14 21:56:49",
"ipaddress": "(REDACTED)",
"ipmask": "(REDACTED)",
"isolation_policy": false,
"isolation_state": false,
"lastseen": "2022-06-15T06:33:46.544505Z",
"lastseen_error": "2022-06-15T06:39:16.544505Z",
"lastseen_warning": "2022-06-15T06:35:58.544505Z",
"machine_boottime": "2022-06-14T22:00:23Z",
"osbuild": 20348,
"osid": "00454-40000-00001-AA081",
"osmajor": 10,
"osminor": 0,
"osproducttype": "Windows Server 2022 Standard Evaluation",
"ostype": "windows",
"osversion": "10.0.20348",
"policy": {
"binary_download_enabled": true,
"description": "",
"hibou_minimum_level": "critical",
"hibou_mode": 0,
"hibou_skip_signed_ms": false,
"hibou_skip_signed_others": false,
"hlai_minimum_level": "critical",
"hlai_mode": 1,
"hlai_skip_signed_ms": true,
"hlai_skip_signed_others": false,
"id": "e96699ef-3dd9-4718-90ef-c7e5646fd466",
"ioc_mode": 2,
"ioc_ruleset": null,
"loglevel": "ERROR",
"name": "No psexec",
"ransomguard_alert_only": false,
"revision": 5,
"self_protection": false,
"sigma_ruleset": 1,
"sleepjitter": 10,
"sleeptime": 60,
"telemetry_alerts_limit": false,
"telemetry_alerts_limit_value": 1000,
"telemetry_log": true,
"telemetry_log_limit": false,
"telemetry_log_limit_value": 1000,
"telemetry_network": true,
"telemetry_network_limit": false,
"telemetry_network_limit_value": 1000,
"telemetry_process": true,
"telemetry_process_limit": false,
"telemetry_process_limit_value": 1000,
"telemetry_remotethread": true,
"telemetry_remotethread_limit": false,
"telemetry_remotethread_limit_value": 1000,
"tenant": null,
"use_driver": true,
"use_isolation": true,
"use_process_block": true,
"use_ransomguard": true,
"use_sigma": true,
"use_sigma_process_block": false,
"yara_mode": 1,
"yara_ruleset": null,
"yara_skip_signed_ms": true,
"yara_skip_signed_others": false
},
"producttype": "server",
"servicepack": null,
"starttime": "2022-06-14T22:02:32Z",
"status": "offline",
"tenant": null,
"total_memory": 2133962752,
"uninstall_status": 0,
"update_experimental": false,
"update_status": 0,
"version": "2.15.0"
}
}
}

Human Readable Output#

Endpoint information for Hostname : DC-01#

additional_infoavg_cpuavg_memorybitnesscpu_countcpu_frequencydomainnamedriver_enableddriver_policyexternal_ipaddressfirstseengroup_counthostnameidinstalldateipaddressipmaskisolation_policyisolation_statelastseenlastseen_errorlastseen_warningmachine_boottimeosbuildosidosmajorosminorosproducttypeostypeosversionpolicyproducttypestarttimestatustotal_memoryuninstall_statusupdate_experimentalupdate_statusversion
additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null		1.0183558144.0x6423192WORKGROUPtruefalse(REDACTED)2022-06-15T06:42:50.008015Z0DC-010fae71cf-ebde-4533-a50c-b3c0290378db2022/06/15 06:38:58(REDACTED)(REDACTED)falsetrue2022-07-28T07:41:32.197641Z2022-07-28T07:47:02.197641Z2022-07-28T07:43:44.197641Z2022-06-28T14:18:31Z2034800454-40000-00001-AA596100Windows Server 2022 Standard Evaluationwindows10.0.20348id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: null		server2022-06-28T14:18:47Zonline2133962752.00false02.15.0
additional_info1: null
additional_info2: null
additional_info3: null
additional_info4: null		0.6125627596.0x6423192WORKGROUPtruefalse(REDACTED)2022-06-14T22:23:08.393381Z0DC-01706d4524-dc2d-4438-bfef-3b620646db7f2022/06/14 21:56:49(REDACTED)(REDACTED)falsefalse2022-06-15T06:33:46.544505Z2022-06-15T06:39:16.544505Z2022-06-15T06:35:58.544505Z2022-06-14T22:00:23Z2034800454-40000-00001-AA081100Windows Server 2022 Standard Evaluationwindows10.0.20348id: e96699ef-3dd9-4718-90ef-c7e5646fd466
tenant: null
name: No psexec
description:
revision: 5
sleeptime: 60
sleepjitter: 10
telemetry_process: true
telemetry_process_limit: false
telemetry_process_limit_value: 1000
telemetry_network: true
telemetry_network_limit: false
telemetry_network_limit_value: 1000
telemetry_log: true
telemetry_log_limit: false
telemetry_log_limit_value: 1000
telemetry_remotethread: true
telemetry_remotethread_limit: false
telemetry_remotethread_limit_value: 1000
telemetry_alerts_limit: false
telemetry_alerts_limit_value: 1000
binary_download_enabled: true
loglevel: ERROR
use_sigma: true
ioc_mode: 2
hlai_mode: 1
hlai_skip_signed_ms: true
hlai_skip_signed_others: false
hlai_minimum_level: critical
hibou_mode: 0
hibou_skip_signed_ms: false
hibou_skip_signed_others: false
hibou_minimum_level: critical
yara_mode: 1
yara_skip_signed_ms: true
yara_skip_signed_others: false
use_driver: true
use_isolation: true
use_ransomguard: true
ransomguard_alert_only: false
self_protection: false
use_process_block: true
use_sigma_process_block: false
sigma_ruleset: 1
yara_ruleset: null
ioc_ruleset: null		server2022-06-14T22:02:32Zoffline2133962752.00false02.15.0

harfanglab-telemetry-processes#

Search processes

Base Command#

harfanglab-telemetry-processes

Input#

Argument NameDescriptionRequired
hashfilehash to search (md5, sha1, sha256).Optional
hostnameEndpoint hostname.Optional
from_dateStart date (format: YYYY-MM-DDTHH:MM:SS).Optional
to_dateEnd date (format: YYYY-MM-DDTHH:MM:SS).Optional
limitMaximum number of elements to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
Harfanglab.Telemetryprocesses.processesunknownProvides a list of processes
agent.agentidunknownDEPRECATED
current_directoryunknownDEPRECATED
hashes.sha256unknownDEPRECATED

Command example#

!harfanglab-telemetry-processes hostname="DC-01" hash=3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 limit=5

Context Example#

{
"Harfanglab": {
"Telemetryprocesses": {
"processes": [
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T07:28:58.757000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T06:58:58.227000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T06:28:57.663000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T05:58:57.147000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T05:28:56.585000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
}
]
}
}
}

Human Readable Output#

Processes list#

create datehostnameprocess nameimage namecommandlineintegrity levelparent imageparent commandlineusernamesignedsignersha256
2022-07-28T07:28:58.757000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T06:58:58.227000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T06:28:57.663000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T05:58:57.147000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T05:28:56.585000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3

Command example#

!harfanglab-telemetry-processes hostname="DC-01" limit=5

Context Example#

{
"Harfanglab": {
"Telemetryprocesses": {
"processes": [
{
"commandline": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe /ua /installsource scheduler",
"create date": "2022-07-28T07:45:44.942000Z",
"hostname": "DC-01",
"image name": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p",
"parent image": "C:\\Windows\\System32\\svchost.exe",
"process name": "MicrosoftEdgeUpdate.exe",
"sha256": "bef9dbed290af17cf3f30cc43fc0a94cdadc540f171c25df1363b2e852d0a042",
"signed": true,
"signer": "Microsoft Corporation",
"username": "NT AUTHORITY\\SYSTEM"
},
{
"commandline": "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1",
"create date": "2022-07-28T07:45:44.711000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\conhost.exe",
"integrity level": "System",
"parent commandline": "C:\\Program Files\\HarfangLab\\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574}",
"parent image": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"process name": "conhost.exe",
"sha256": "6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\SYSTEM"
},
{
"commandline": "C:\\Program Files\\HarfangLab\\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574}",
"create date": "2022-07-28T07:45:44.704000Z",
"hostname": "DC-01",
"image name": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"integrity level": "System",
"parent commandline": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"parent image": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"process name": "hurukai.exe",
"sha256": "9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0",
"signed": true,
"signer": "HARFANGLAB SAS",
"username": "NT AUTHORITY\\SYSTEM"
},
{
"commandline": "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1",
"create date": "2022-07-28T07:44:40.370000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\conhost.exe",
"integrity level": "System",
"parent commandline": "C:\\Program Files\\HarfangLab\\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23}",
"parent image": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"process name": "conhost.exe",
"sha256": "6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\SYSTEM"
},
{
"commandline": "C:\\Program Files\\HarfangLab\\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23}",
"create date": "2022-07-28T07:44:40.363000Z",
"hostname": "DC-01",
"image name": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"integrity level": "System",
"parent commandline": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"parent image": "C:\\Program Files\\HarfangLab\\hurukai.exe",
"process name": "hurukai.exe",
"sha256": "9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0",
"signed": true,
"signer": "HARFANGLAB SAS",
"username": "NT AUTHORITY\\SYSTEM"
}
]
}
}
}

Human Readable Output#

Processes list#

create datehostnameprocess nameimage namecommandlineintegrity levelparent imageparent commandlineusernamesignedsignersha256
2022-07-28T07:45:44.942000ZDC-01MicrosoftEdgeUpdate.exeC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe /ua /installsource schedulerSystemC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEMtrueMicrosoft Corporationbef9dbed290af17cf3f30cc43fc0a94cdadc540f171c25df1363b2e852d0a042
2022-07-28T07:45:44.711000ZDC-01conhost.exeC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1SystemC:\Program Files\HarfangLab\hurukai.exeC:\Program Files\HarfangLab\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574}NT AUTHORITY\SYSTEMtrueMicrosoft Windows6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733
2022-07-28T07:45:44.704000ZDC-01hurukai.exeC:\Program Files\HarfangLab\hurukai.exeC:\Program Files\HarfangLab\hurukai.exe {cf4a9162-2af0-0afe-8c36-45fd3dd29574}SystemC:\Program Files\HarfangLab\hurukai.exeC:\Program Files\HarfangLab\hurukai.exeNT AUTHORITY\SYSTEMtrueHARFANGLAB SAS9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0
2022-07-28T07:44:40.370000ZDC-01conhost.exeC:\Windows\System32\conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1SystemC:\Program Files\HarfangLab\hurukai.exeC:\Program Files\HarfangLab\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23}NT AUTHORITY\SYSTEMtrueMicrosoft Windows6b481d656414c50d8bd0bedcd615aeaf2f5f68576cb6732a9548e0da87729733
2022-07-28T07:44:40.363000ZDC-01hurukai.exeC:\Program Files\HarfangLab\hurukai.exeC:\Program Files\HarfangLab\hurukai.exe {e273729b-d2f8-53a9-a10f-a60459dacc23}SystemC:\Program Files\HarfangLab\hurukai.exeC:\Program Files\HarfangLab\hurukai.exeNT AUTHORITY\SYSTEMtrueHARFANGLAB SAS9d81d385fe2f41e8f4f96d64a37899003b54a644ba67f7197f0cdbd0b71144f0

Command example#

!harfanglab-telemetry-processes hash=3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3 limit=5

Context Example#

{
"Harfanglab": {
"Telemetryprocesses": {
"processes": [
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T07:46:16.086000Z",
"hostname": "WEBSERVER",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T07:29:25.127000Z",
"hostname": "WEBSERVER",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T07:28:58.757000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T06:59:24.716000Z",
"hostname": "WEBSERVER",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-28T06:58:58.227000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
}
]
}
}
}

Human Readable Output#

Processes list#

create datehostnameprocess nameimage namecommandlineintegrity levelparent imageparent commandlineusernamesignedsignersha256
2022-07-28T07:46:16.086000ZWEBSERVERsppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T07:29:25.127000ZWEBSERVERsppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T07:28:58.757000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T06:59:24.716000ZWEBSERVERsppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3
2022-07-28T06:58:58.227000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3

Command example#

!harfanglab-telemetry-processes hostname="DC-01" from_date="2022-07-22T20:26:10" to_date="2022-07-22T20:26:20" limit=5

Context Example#

{
"Harfanglab": {
"Telemetryprocesses": {
"processes": [
{
"commandline": "C:\\Windows\\system32\\sppsvc.exe",
"create date": "2022-07-22T20:26:19.645000Z",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\sppsvc.exe",
"integrity level": "System",
"parent commandline": "C:\\Windows\\system32\\services.exe",
"parent image": "C:\\Windows\\System32\\services.exe",
"process name": "sppsvc.exe",
"sha256": "3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3",
"signed": true,
"signer": "Microsoft Windows",
"username": "NT AUTHORITY\\NETWORK SERVICE"
}
]
}
}
}

Human Readable Output#

Processes list#

create datehostnameprocess nameimage namecommandlineintegrity levelparent imageparent commandlineusernamesignedsignersha256
2022-07-22T20:26:19.645000ZDC-01sppsvc.exeC:\Windows\System32\sppsvc.exeC:\Windows\system32\sppsvc.exeSystemC:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\NETWORK SERVICEtrueMicrosoft Windows3541d189d1bd3341a72769d43bf487eaa3b20e80aa04a54550bbfa9a04360db3

harfanglab-job-pipelist#

Start a job to get the list of pipes from a host (Windows)

Base Command#

harfanglab-job-pipelist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-pipelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getPipeList",
"ID": "974d7732-481b-444e-8f30-37db662d23d5"
}
}
}

Human Readable Output#

{
"Action": "getPipeList",
"ID": "974d7732-481b-444e-8f30-37db662d23d5"
}

harfanglab-job-artifact-downloadfile#

Start a job to download a file from a host (Windows / Linux)

Base Command#

harfanglab-job-artifact-downloadfile

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required
filenamePath of the file to download.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-downloadfile agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="C:\\Program Files\\HarfangLab\\agent.ini"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "downloadFile",
"ID": "7c5a2c3c-0455-4b4e-a7ee-acf7737f86f8"
}
}
}

Human Readable Output#

{
"Action": "downloadFile",
"ID": "7c5a2c3c-0455-4b4e-a7ee-acf7737f86f8"
}

harfanglab-job-prefetchlist#

Start a job to get the list of prefetches from a host (Windows)

Base Command#

harfanglab-job-prefetchlist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-prefetchlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getPrefetch",
"ID": "153d0791-7eef-4d7e-b1be-61fec1e5a140"
}
}
}

Human Readable Output#

{
"Action": "getPrefetch",
"ID": "153d0791-7eef-4d7e-b1be-61fec1e5a140"
}

harfanglab-job-runkeylist#

Start a job to get the list of run keys from a host (Windows)

Base Command#

harfanglab-job-runkeylist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-runkeylist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getHives",
"ID": "eadc130a-fa7f-41e6-a1bb-e9022b232b32"
}
}
}

Human Readable Output#

{
"Action": "getHives",
"ID": "eadc130a-fa7f-41e6-a1bb-e9022b232b32"
}

harfanglab-job-scheduledtasklist#

Start a job to get the list of scheduled tasks from a host (Windows)

Base Command#

harfanglab-job-scheduledtasklist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-scheduledtasklist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getScheduledTasks",
"ID": "e81e3105-5f8e-4caf-9947-b252721b4196"
}
}
}

Human Readable Output#

{
"Action": "getScheduledTasks",
"ID": "e81e3105-5f8e-4caf-9947-b252721b4196"
}

harfanglab-job-driverlist#

Start a job to get the list of drivers from a host (Windows)

Base Command#

harfanglab-job-driverlist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-driverlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getLoadedDriverList",
"ID": "a4ce02be-38f0-4782-8d2d-0da99fd318db"
}
}
}

Human Readable Output#

{
"Action": "getLoadedDriverList",
"ID": "a4ce02be-38f0-4782-8d2d-0da99fd318db"
}

harfanglab-job-servicelist#

Start a job to get the list of services from a host (Windows)

Base Command#

harfanglab-job-servicelist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-servicelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getHives",
"ID": "fcd8d44c-109f-43e9-8b9a-7268121a46a7"
}
}
}

Human Readable Output#

{
"Action": "getHives",
"ID": "fcd8d44c-109f-43e9-8b9a-7268121a46a7"
}

harfanglab-job-processlist#

Start a job to get the list of processes from a host (Windows / Linux)

Base Command#

harfanglab-job-processlist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-processlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getProcessList",
"ID": "45696894-17c5-4304-9198-9084aa1f6847"
}
}
}

Human Readable Output#

{
"Action": "getProcessList",
"ID": "45696894-17c5-4304-9198-9084aa1f6847"
}

harfanglab-job-networkconnectionlist#

Start a job to get the list of network connections from a host (Windows / Linux)

Base Command#

harfanglab-job-networkconnectionlist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-networkconnectionlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getProcessList",
"ID": "ac1cbd6c-ac39-4940-8c4b-85071be7c878"
}
}
}

Human Readable Output#

{
"Action": "getProcessList",
"ID": "ac1cbd6c-ac39-4940-8c4b-85071be7c878"
}

harfanglab-job-networksharelist#

Start a job to get the list of network shares from a host (Windows)

Base Command#

harfanglab-job-networksharelist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-networksharelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getNetworkShare",
"ID": "b663d820-029b-414d-8bf3-5c7b973c7954"
}
}
}

Human Readable Output#

{
"Action": "getNetworkShare",
"ID": "b663d820-029b-414d-8bf3-5c7b973c7954"
}

harfanglab-job-sessionlist#

Start a job to get the list of sessions from a host (Windows)

Base Command#

harfanglab-job-sessionlist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-sessionlist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getSessions",
"ID": "2b48e4aa-fa28-4b21-b1a7-f70bde1c59c7"
}
}
}

Human Readable Output#

{
"Action": "getSessions",
"ID": "2b48e4aa-fa28-4b21-b1a7-f70bde1c59c7"
}

harfanglab-job-persistencelist#

Start a job to get the list of persistence items from a host (Linux)

Base Command#

harfanglab-job-persistencelist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-persistencelist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "persistanceScanner",
"ID": "30a54484-c359-4220-bb5c-6e07c7a9359e"
}
}
}

Human Readable Output#

{
"Action": "persistanceScanner",
"ID": "30a54484-c359-4220-bb5c-6e07c7a9359e"
}

harfanglab-job-ioc#

Start a job to search for IOCs on a host (Windows / Linux)

Base Command#

harfanglab-job-ioc

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required
filenameexact filename to search.Optional
filepathexact filepath to search.Optional
hashfilehash to search (md5, sha1, sha256).Optional
search_in_pathrestrict searchs for filename or filepath or filepath_regex to a given path.Optional
hash_filesizesize of the file associated to the 'hash' parameters (DEPRECATED, rather use the 'filesize' parameter). If known, it will speed up the search process.Optional
filesizesize of the file to search (can be used when searching a file from a hash or from a filename). If known, it will speed up the search process.Optional
registryregex to search in registry (key or value).Optional
filepath_regexsearch a regex on a filepath .Optional

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "0751d384-601a-40a4-afc6-7574f80f72bf"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "0751d384-601a-40a4-afc6-7574f80f72bf"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini" search_in_path="C:\\Program Files"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "56a9b602-e6e5-4130-8b51-861a383f42bc"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "56a9b602-e6e5-4130-8b51-861a383f42bc"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filename="agent.ini" filesize=1688

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "1e68fb44-843e-445b-a926-755da0ce2321"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "1e68fb44-843e-445b-a926-755da0ce2321"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filepath="C:\\windows\\system32\\calc.exe"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "f78d2479-9651-488f-9b94-e9019b918b26"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "f78d2479-9651-488f-9b94-e9019b918b26"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" filepath_regex="System32\\\\calc\\.exe"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "cbe0239e-3297-4cbb-a06b-75df2f5608d2"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "cbe0239e-3297-4cbb-a06b-75df2f5608d2"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" hash=4208893c871d2499f184e3f0f2554da89f451fa9e98d95fc9516c5ae8f2b3bbd filesize=45056

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "574b6d2a-4621-4883-bd0e-7bf603566a94"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "574b6d2a-4621-4883-bd0e-7bf603566a94"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" registry="DLLPath"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "b69dd316-4c47-479a-bd0f-46bfedd01180"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "b69dd316-4c47-479a-bd0f-46bfedd01180"
}

Command example#

!harfanglab-job-ioc agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db" registry="hmmapi"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "IOCScan",
"ID": "89290f68-33a1-4335-a221-5bc163fa1270"
}
}
}

Human Readable Output#

{
"Action": "IOCScan",
"ID": "89290f68-33a1-4335-a221-5bc163fa1270"
}

harfanglab-job-startuplist#

Start a job to get the list of startup items from a host (Windows)

Base Command#

harfanglab-job-startuplist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-startuplist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getStartupFileList",
"ID": "d9d6b338-75ce-4ab6-8223-531e29c07ae6"
}
}
}

Human Readable Output#

{
"Action": "getStartupFileList",
"ID": "d9d6b338-75ce-4ab6-8223-531e29c07ae6"
}

harfanglab-job-wmilist#

Start a job to get the list of WMI items from a host (Windows)

Base Command#

harfanglab-job-wmilist

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-wmilist agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "getWMI",
"ID": "e51124be-7720-4a0d-868f-3521a5ce0e9f"
}
}
}

Human Readable Output#

{
"Action": "getWMI",
"ID": "e51124be-7720-4a0d-868f-3521a5ce0e9f"
}

harfanglab-job-artifact-mft#

Start a job to download the MFT from a host (Windows)

Base Command#

harfanglab-job-artifact-mft

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-mft agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "collectRAWEvidences",
"ID": "57c3da8c-a68f-4f1d-b521-cd811e97f62b"
}
}
}

Human Readable Output#

{
"Action": "collectRAWEvidences",
"ID": "57c3da8c-a68f-4f1d-b521-cd811e97f62b"
}

harfanglab-job-artifact-hives#

Start a job to download the hives from a host (Windows)

Base Command#

harfanglab-job-artifact-hives

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-hives agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "collectRAWEvidences",
"ID": "36bc0da2-a557-4576-af8e-344d91364c70"
}
}
}

Human Readable Output#

{
"Action": "collectRAWEvidences",
"ID": "36bc0da2-a557-4576-af8e-344d91364c70"
}

harfanglab-job-artifact-evtx#

Start a job to download the event logs from a host (Windows)

Base Command#

harfanglab-job-artifact-evtx

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-evtx agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "collectRAWEvidences",
"ID": "707ab8c7-e2e9-4921-ad1e-0823def79d83"
}
}
}

Human Readable Output#

{
"Action": "collectRAWEvidences",
"ID": "707ab8c7-e2e9-4921-ad1e-0823def79d83"
}

harfanglab-job-artifact-logs#

Start a job to download Linux log files from a host (Linux)

Base Command#

harfanglab-job-artifact-logs

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-logs agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "collectRAWEvidences",
"ID": "8989756f-1947-4fd1-9734-8fecb58d6f64"
}
}
}

Human Readable Output#

{
"Action": "collectRAWEvidences",
"ID": "8989756f-1947-4fd1-9734-8fecb58d6f64"
}

harfanglab-job-artifact-filesystem#

Start a job to download Linux filesystem entries from a host (Linux)

Base Command#

harfanglab-job-artifact-filesystem

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-filesystem agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "collectRAWEvidences",
"ID": "d351e9be-3f0e-4ccc-876f-8b28f208ffa7"
}
}
}

Human Readable Output#

{
"Action": "collectRAWEvidences",
"ID": "d351e9be-3f0e-4ccc-876f-8b28f208ffa7"
}

harfanglab-job-artifact-all#

Start a job to download all artifacts from a host (Windows MFT, Hives, evt/evtx, Prefetch, USN, Linux logs and file list)

Base Command#

harfanglab-job-artifact-all

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-all agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "collectRAWEvidences",
"ID": "312a3857-935c-4b23-9d58-cc29bb9dda18"
}
}
}

Human Readable Output#

{
"Action": "collectRAWEvidences",
"ID": "312a3857-935c-4b23-9d58-cc29bb9dda18"
}

harfanglab-job-artifact-ramdump#

Start a job to get the entine RAM from a host (Windows / Linux)

Base Command#

harfanglab-job-artifact-ramdump

Input#

Argument NameDescriptionRequired
agent_idAgent unique identifier as provided by the HarfangLab EDR Manager.Required

Context Output#

PathTypeDescription
Harfanglab.Job.IDstringid
Harfanglab.Job.ActionstringHarfangLab job action

Command example#

!harfanglab-job-artifact-ramdump agent_id="0fae71cf-ebde-4533-a50c-b3c0290378db"

Context Example#

{
"Harfanglab": {
"Job": {
"Action": "memoryDumper",
"ID": "27df9e9b-6201-4efe-9d86-986fe47739ee"
}
}
}

Human Readable Output#

{
"Action": "memoryDumper",
"ID": "27df9e9b-6201-4efe-9d86-986fe47739ee"
}

harfanglab-telemetry-network#

Search network connections

Base Command#

harfanglab-telemetry-network

Input#

Argument NameDescriptionRequired
hostnameEndpoint hostname.Optional
from_dateStart date (format: YYYY-MM-DDTHH:MM:SS).Optional
to_dateEnd date (format: YYYY-MM-DDTHH:MM:SS).Optional
source_addressSource IP address.Optional
source_portSource port.Optional
destination_addressDestination IP address.Optional
destination_portDestination port.Optional
limitMaximum number of elements to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
Harfanglab.Telemetrynetwork.networkunknownProvides a list of network connections

Command example#

!harfanglab-telemetry-network hostname="DC-01" limit=5

Context Example#

{
"Harfanglab": {
"Telemetrynetwork": {
"network": [
{
"create date": "2022-06-29T22:33:42.434000Z",
"destination addr": "(REDACTED)",
"destination port": 443,
"direction": "out",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 50000,
"username": "NT AUTHORITY\\SYSTEM"
},
{
"create date": "2022-06-29T22:24:08.088000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 49998,
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"create date": "2022-06-29T22:23:08.037000Z",
"destination addr": "(REDACTED)",
"destination port": 443,
"direction": "out",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 49997,
"username": "NT AUTHORITY\\SYSTEM"
},
{
"create date": "2022-06-29T22:08:07.550000Z",
"destination addr": "(REDACTED)",
"destination port": 443,
"direction": "out",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 49996,
"username": "NT AUTHORITY\\SYSTEM"
},
{
"create date": "2022-06-29T22:04:42.848000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "DC-01",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 49995,
"username": "NT AUTHORITY\\NETWORK SERVICE"
}
]
}
}
}

Human Readable Output#

Network list#

create datehostnameimage nameusernamesource addresssource portdestination addrdestination portdirection
2022-06-29T22:33:42.434000ZDC-01C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEM(REDACTED)50000(REDACTED)443out
2022-06-29T22:24:08.088000ZDC-01C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)49998(REDACTED)80out
2022-06-29T22:23:08.037000ZDC-01C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEM(REDACTED)49997(REDACTED)443out
2022-06-29T22:08:07.550000ZDC-01C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEM(REDACTED)49996(REDACTED)443out
2022-06-29T22:04:42.848000ZDC-01C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)49995(REDACTED)80out

Command example#

!harfanglab-telemetry-network destination_address="(REDACTED)" limit=5

Context Example#

{
"Harfanglab": {
"Telemetrynetwork": {
"network": [
{
"create date": "2022-07-27T14:59:56.114000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "WORKSTATION-1879",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 62787,
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"create date": "2022-07-27T14:58:43.590000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "WORKSTATION-3752",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 64593,
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"create date": "2022-07-27T14:49:54.374000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "WORKSTATION-6852",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 61571,
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"create date": "2022-07-27T14:49:14.813000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "WORKSTATION-4321",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 61605,
"username": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"create date": "2022-07-27T07:59:49.780000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "WORKSTATION-1879",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 62472,
"username": "NT AUTHORITY\\NETWORK SERVICE"
}
]
}
}
}

Human Readable Output#

Network list#

create datehostnameimage nameusernamesource addresssource portdestination addrdestination portdirection
2022-07-27T14:59:56.114000ZWORKSTATION-1879C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)62787(REDACTED)80out
2022-07-27T14:58:43.590000ZWORKSTATION-3752C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)64593(REDACTED)80out
2022-07-27T14:49:54.374000ZWORKSTATION-6852C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)61571(REDACTED)80out
2022-07-27T14:49:14.813000ZWORKSTATION-4321C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)61605(REDACTED)80out
2022-07-27T07:59:49.780000ZWORKSTATION-1879C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)62472(REDACTED)80out

Command example#

!harfanglab-telemetry-network destination_address="(REDACTED)" from_date="2022-07-21T12:34:05" to_date="2022-07-21T12:34:15" limit=5

Context Example#

{
"Harfanglab": {
"Telemetrynetwork": {
"network": [
{
"create date": "2022-07-21T12:34:09.265000Z",
"destination addr": "(REDACTED)",
"destination port": 80,
"direction": "out",
"hostname": "WORKSTATION-4812",
"image name": "C:\\Windows\\System32\\svchost.exe",
"source address": "(REDACTED)",
"source port": 50363,
"username": "NT AUTHORITY\\NETWORK SERVICE"
}
]
}
}
}

Human Readable Output#

Network list#

create datehostnameimage nameusernamesource addresssource portdestination addrdestination portdirection
2022-07-21T12:34:09.265000ZWORKSTATION-4812C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE(REDACTED)50363(REDACTED)80out

harfanglab-telemetry-eventlog#

Search event logs

Base Command#

harfanglab-telemetry-eventlog

Input#

Argument NameDescriptionRequired
hostnameEndpoint hostname.Optional
event_idEvent id.Optional
from_dateStart date (format: YYYY-MM-DDTHH:MM:SS).Optional
to_dateEnd date (format: YYYY-MM-DDTHH:MM:SS).Optional
limitMaximum number of elements to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
Harfanglab.Telemetryeventlog.eventlogunknownProvides a list of event logs

Command example#

!harfanglab-telemetry-eventlog hostname="DC-01" limit=5

Context Example#

{
"Harfanglab": {
"Telemetryeventlog": {
"eventlog": [
{
"create date": "2022-07-28T07:29:29.327000Z",
"event data": {
"Binary": "7300700070007300760063002F0031000000",
"param1": "Software Protection",
"param2": "stopped"
},
"event id": 7036,
"hostname": "DC-01",
"keywords": [
"Classic"
],
"level": "Information",
"log name": "System",
"source name": "Service Control Manager"
},
{
"create date": "2022-07-28T07:29:29.311000Z",
"event data": {
"param1": "2022-11-12T06:42:29Z",
"param2": "RulesEngine"
},
"event id": 16384,
"hostname": "DC-01",
"keywords": [
"Classic"
],
"level": "Information",
"log name": "Application",
"source name": "Microsoft-Windows-Security-SPP"
},
{
"create date": "2022-07-28T07:28:58.905000Z",
"event data": null,
"event id": 16394,
"hostname": "DC-01",
"keywords": [
"Classic"
],
"level": "Information",
"log name": "Application",
"source name": "Microsoft-Windows-Security-SPP"
},
{
"create date": "2022-07-28T07:28:58.795000Z",
"event data": {
"Binary": "7300700070007300760063002F0034000000",
"param1": "Software Protection",
"param2": "running"
},
"event id": 7036,
"hostname": "DC-01",
"keywords": [
"Classic"
],
"level": "Information",
"log name": "System",
"source name": "Service Control Manager"
},
{
"create date": "2022-07-28T07:26:50.139000Z",
"event data": {
"Binary": "540072007500730074006500640049006E007300740061006C006C00650072002F0031000000",
"param1": "Windows Modules Installer",
"param2": "stopped"
},
"event id": 7036,
"hostname": "DC-01",
"keywords": [
"Classic"
],
"level": "Information",
"log name": "System",
"source name": "Service Control Manager"
}
]
}
}
}

Human Readable Output#

Event Log list#

create datehostnameevent idsource namelog namekeywordsevent datalevel
2022-07-28T07:29:29.327000ZDC-017036Service Control ManagerSystemClassicparam1: Software Protection
param2: stopped
Binary: 7300700070007300760063002F0031000000		Information
2022-07-28T07:29:29.311000ZDC-0116384Microsoft-Windows-Security-SPPApplicationClassicparam1: 2022-11-12T06:42:29Z
param2: RulesEngine		Information
2022-07-28T07:28:58.905000ZDC-0116394Microsoft-Windows-Security-SPPApplicationClassicInformation
2022-07-28T07:28:58.795000ZDC-017036Service Control ManagerSystemClassicparam1: Software Protection
param2: running
Binary: 7300700070007300760063002F0034000000		Information
2022-07-28T07:26:50.139000ZDC-017036Service Control ManagerSystemClassicparam1: Windows Modules Installer
param2: stopped
Binary: 540072007500730074006500640049006E007300740061006C006C00650072002F0031000000		Information

Command example#

!harfanglab-telemetry-eventlog hostname="DC-01" event_id=4624 limit=5

Context Example#

{
"Harfanglab": {
"Telemetryeventlog": {
"eventlog": [
{
"create date": "2022-07-28T07:24:48.105000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x278",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "DC-01$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "DC-01",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-28T06:34:06.425000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x278",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "DC-01$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "DC-01",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-28T06:24:48.107000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x278",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "DC-01$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "DC-01",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-28T05:24:47.496000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x278",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "DC-01$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "DC-01",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-28T04:24:46.833000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x278",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "DC-01$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "DC-01",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
}
]
}
}
}

Human Readable Output#

Event Log list#

create datehostnameevent idsource namelog namekeywordsevent datalevel
2022-07-28T07:24:48.105000ZDC-014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842		Information
2022-07-28T06:34:06.425000ZDC-014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842		Information
2022-07-28T06:24:48.107000ZDC-014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842		Information
2022-07-28T05:24:47.496000ZDC-014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842		Information
2022-07-28T04:24:46.833000ZDC-014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842		Information

Command example#

!harfanglab-telemetry-eventlog event_id=4624 from_date="2022-07-21T21:25:34" to_date="2022-07-23T21:25:34" limit=5

Context Example#

{
"Harfanglab": {
"Telemetryeventlog": {
"eventlog": [
{
"create date": "2022-07-23T21:25:18.159000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x280",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "WORKSTATION-123$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "WORKSTATION-1234",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-23T21:25:10.765000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x27c",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "WEBSERVER$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "WEBSERVER",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-23T21:23:53.410000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x278",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "DC-01$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "DC-01",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-23T21:18:55.338000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x27c",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "WORKSTATION-850$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "WORKSTATION-8501",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
},
{
"create date": "2022-07-23T21:18:53.324000Z",
"event data": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "-",
"IpPort": "-",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "Advapi ",
"LogonType": "5",
"ProcessId": "0x27c",
"ProcessName": "C:\\Windows\\System32\\services.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "WORKSTATION-850$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "NT AUTHORITY",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x3e7",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "SYSTEM",
"TargetUserSid": "S-1-5-18",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "-"
},
"event id": 4624,
"hostname": "WORKSTATION-8501",
"keywords": [
"Audit Success"
],
"level": "Information",
"log name": "Security",
"source name": "Microsoft-Windows-Security-Auditing"
}
]
}
}
}

Human Readable Output#

Event Log list#

create datehostnameevent idsource namelog namekeywordsevent datalevel
2022-07-23T21:25:18.159000ZWORKSTATION-12344624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-123$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x280
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842		Information
2022-07-23T21:25:10.765000ZWEBSERVER4624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: WEBSERVER$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842		Information
2022-07-23T21:23:53.410000ZDC-014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: DC-01$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x278
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842		Information
2022-07-23T21:18:55.338000ZWORKSTATION-85014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-850$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842		Information
2022-07-23T21:18:53.324000ZWORKSTATION-85014624Microsoft-Windows-Security-AuditingSecurityAudit SuccessSubjectUserSid: S-1-5-18
SubjectUserName: WORKSTATION-850$
SubjectDomainName: WORKGROUP
SubjectLogonId: 0x3e7
TargetUserSid: S-1-5-18
TargetUserName: SYSTEM
TargetDomainName: NT AUTHORITY
TargetLogonId: 0x3e7
LogonType: 5
LogonProcessName: Advapi
AuthenticationPackageName: Negotiate
WorkstationName: -
LogonGuid: {00000000-0000-0000-0000-000000000000}
TransmittedServices: -
LmPackageName: -
KeyLength: 0
ProcessId: 0x27c
ProcessName: C:\Windows\System32\services.exe
IpAddress: -
IpPort: -
ImpersonationLevel: %%1833
RestrictedAdminMode: -
TargetOutboundUserName: -
TargetOutboundDomainName: -
VirtualAccount: %%1843
TargetLinkedLogonId: 0x0
ElevatedToken: %%1842		Information

harfanglab-telemetry-binary#

Search for binaries

Base Command#

harfanglab-telemetry-binary

Input#

Argument NameDescriptionRequired
from_dateStart date (format: YYYY-MM-DDTHH:MM:SS).Optional
to_dateEnd date (format: YYYY-MM-DDTHH:MM:SS).Optional
hashfilehash to search (md5, sha1, sha256).Optional
limitMaximum number of elements to fetch. Default is 100.Optional

Context Output#

PathTypeDescription
Harfanglab.Telemetrybinary.binaryunknownProvides a list of binaries with associated download links.

Command example#

!harfanglab-telemetry-binary hash=2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5

Context Example#

{
"Harfanglab": {
"Telemetrybinary": {
"binary": [
{
"download link": "https://my_edr_stack:8443/api/data/telemetry/Binary/download/2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5/?hl_expiring_key=0123456789abcdef",
"name": "hurukai",
"path": "/opt/hurukai/hurukai",
"sha256": "2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5",
"signed": "",
"signer": null,
"size": 5882824
}
]
}
}
}

Human Readable Output#

Binary list#

namepathsizesha256download link
hurukai/opt/hurukai/hurukai58828242577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5https://my_edr_stack:8443/api/data/telemetry/Binary/download/2577fb22e98a4585bedcccfe7fbb48a8b2e0b5ea4c41408247cba86e89ea2eb5/?hl_expiring_key=0123456789abcdef

harfanglab-job-info#

Get job status information

Base Command#

harfanglab-job-info

Input#

Argument NameDescriptionRequired
idsComa-separated list of job ids.Required

Context Output#

PathTypeDescription
Harfanglab.Job.InfounknownJob Status

Command example#

!harfanglab-job-info ids="ba28f05f-e3c8-4eec-ab6a-01d639c14f2e,70b2cd7b-8a57-4a6c-aa7e-e392676fa7ac"

Context Example#

{
"Harfanglab": {
"Job": {
"Info": [
{
"Creation date": "2022-07-19 19:47:00",
"ID": "ba28f05f-e3c8-4eec-ab6a-01d639c14f2e",
"Status": "finished"
},
{
"Creation date": "2022-07-07 13:39:02",
"ID": "70b2cd7b-8a57-4a6c-aa7e-e392676fa7ac",
"Status": "finished"
}
]
}
}
}

Human Readable Output#

Jobs Info#

IDStatusCreation date
ba28f05f-e3c8-4eec-ab6a-01d639c14f2efinished2022-07-19 19:47:00
70b2cd7b-8a57-4a6c-aa7e-e392676fa7acfinished2022-07-07 13:39:02

harfanglab-result-pipelist#

Get a hostname's list of pipes from job results

Base Command#

harfanglab-result-pipelist

Input#

Argument NameDescriptionRequired
job_idJob id as returned by the job submission commands.Required

Context Output#

PathTypeDescription
Harfanglab.Pipe.dataunknownProvides a list of named pipes

Command example#

!harfanglab-result-pipelist job_id="f6cba4b2-e4a1-41b7-bdc0-0dcb6815d3ad"

Context Example#

{
"Harfanglab": {
"Pipe": {
"data": [
"atsvc",
"Ctx_WinStation_API_service",
"epmapper",
"eventlog",
"hlab-1560-f60834ea319cb1cf",
"InitShutdown",
"lsass",
"LSM_API_service",
"ntsvcs",
"PIPE_EVENTROOT\\CIMV2SCM EVENT PROVIDER",
"scerpc",
"SessEnvPublicRpc",
"spoolss",
"srvsvc",
"TermSrv_API_service",
"trkwks",
"VBoxTrayIPC-vagrant",
"W32TIME_ALT",
"Winsock2\\CatalogChangeListener-1f8-0",
"Winsock2\\CatalogChangeListener-278-0",
"Winsock2\\CatalogChangeListener-284-0",
"Winsock2\\CatalogChangeListener-2c4-0",
"Winsock2\\CatalogChangeListener-2f0-0",
"Winsock2\\CatalogChangeListener-35c-0",
"Winsock2\\CatalogChangeListener-414-0",
"Winsock2\\CatalogChangeListener-528-0",
"wkssvc"
]
}
}
}

Human Readable Output#

Pipe List#

name
atsvc
Ctx_WinStation_API_service
epmapper
eventlog
hlab-1560-f60834ea319cb1cf
InitShutdown
lsass
LSM_API_service
ntsvcs
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
scerpc
SessEnvPublicRpc
spoolss
srvsvc
TermSrv_API_service
trkwks
VBoxTrayIPC-vagrant
W32TIME_ALT
Winsock2\CatalogChangeListener-1f8-0
Winsock2\CatalogChangeListener-278-0
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-2c4-0
Winsock2\CatalogChangeListener-2f0-0
Winsock2\CatalogChangeListener-35c-0
Winsock2\CatalogChangeListener-414-0
Winsock2\CatalogChangeListener-528-0
wkssvc

harfanglab-result-prefetchlist#

Get a hostname's list of prefetches from job results

Base Command#

harfanglab-result-prefetchlist

Input#

Argument NameDescriptionRequired
job_idJob id as returned by the job submission commands.Required

Context Output#

PathTypeDescription
Harfanglab.Prefetch.dataunknownProvides a list of prefetch files

Command example#

!harfanglab-result-prefetchlist job_id="16834054-574b-4dc4-8981-9e6bb93e4529"

Context Example#

{
"Harfanglab": {
"Prefetch": {
"data": []
}
}
}

Human Readable Output#

Prefetch List#

No entries.

harfanglab-result-runkeylist#

Get a hostname's list of run keys from job results

Base Command#

harfanglab-result-runkeylist

Input#

Argument NameDescriptionRequired
job_idJob id as returned by the job submission commands.Required

Context Output#

PathTypeDescription
Harfanglab.RunKey.dataunknownProvides a list of Run Keys

Command example#

!harfanglab-result-runkeylist job_id="704cac37-57df-4b70-8227-4a770b724108"

Context Example#

{
"Harfanglab": {
"RunKey": {
"data": [
{
"fullpath": "C:\\Windows\\system32\\SecurityHealthSystray.exe",
"md5": "37eea8b4d205b2300e79a9e96f2f7a46",
"name": "SecurityHealth",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\VBoxTray.exe",
"md5": "3c21ed6871650bc8635729b9abbb6f21",
"name": "VBoxTray",
"signed": true
}
]
}
}
}

Human Readable Output#

RunKey List#

namefullpathsignedmd5
SecurityHealthC:\Windows\system32\SecurityHealthSystray.exetrue37eea8b4d205b2300e79a9e96f2f7a46
VBoxTrayC:\Windows\system32\VBoxTray.exetrue3c21ed6871650bc8635729b9abbb6f21

harfanglab-result-scheduledtasklist#

Get a hostname's list of scheduled tasks from job results

Base Command#

harfanglab-result-scheduledtasklist

Input#

Argument NameDescriptionRequired
job_idJob id as returned by the job submission commands.Optional

Context Output#

PathTypeDescription
Harfanglab.ScheduledTask.dataunknownProvides a list of scheduled tasks

Command example#

!harfanglab-result-scheduledtasklist job_id="f22b531a-b078-44fc-8d23-d06725548934"

Context Example#

{
"Harfanglab": {
"ScheduledTask": {
"data": [
{
"fullpath": "C:\\Windows\\System32\\mscoree.dll",
"md5": "7ddb05ec3be80b951478e594294c0361",
"name": ".NET Framework NGEN v4.0.30319",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\mscoree.dll",
"md5": "7ddb05ec3be80b951478e594294c0361",
"name": ".NET Framework NGEN v4.0.30319 64",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\mscoree.dll",
"md5": "7ddb05ec3be80b951478e594294c0361",
"name": ".NET Framework NGEN v4.0.30319 64 Critical",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\mscoree.dll",
"md5": "7ddb05ec3be80b951478e594294c0361",
"name": ".NET Framework NGEN v4.0.30319 Critical",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\rundll32.exe",
"md5": "f5b2d37bed0d2b15957736c23b9f547f",
"name": "Account Cleanup",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\msdrm.dll",
"md5": "a4bffcd7b94bd687b3084bc6c7483a2c",
"name": "AD RMS Rights Policy Template Management (Automated)",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\msdrm.dll",
"md5": "a4bffcd7b94bd687b3084bc6c7483a2c",
"name": "AD RMS Rights Policy Template Management (Manual)",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\ngctasks.dll",
"md5": "41fe9b51f30b9ff1a8fe4d724d6c7940",
"name": "AikCertEnrollTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\energytask.dll",
"md5": "6b5151a0c751cbf6f01994ab1eb6cde8",
"name": "AnalyzeSystem",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\apphostregistrationverifier.exe",
"md5": "54b1076b71917ed737760b4feba9eeae",
"name": "appuriverifierdaily",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\apphostregistrationverifier.exe",
"md5": "54b1076b71917ed737760b4feba9eeae",
"name": "appuriverifierinstall",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\dsregcmd.exe",
"md5": "f4c8c7def69c3fcaf375db9a7710fd35",
"name": "Automatic-Device-Join",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\cscui.dll",
"md5": "14eef80c58f9c7bffdbc5cb4867d5824",
"name": "Background Synchronization",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\rundll32.exe",
"md5": "f5b2d37bed0d2b15957736c23b9f547f",
"name": "BfeOnServiceStartTypeChange",
"signed": true
},
{
"fullpath": "",
"md5": null,
"name": "BgTaskRegistrationMaintenanceTask",
"signed": false
},
{
"fullpath": "C:\\Windows\\System32\\edptask.dll",
"md5": "45ed986a4271a0f5d9a27161af5a76ee",
"name": "BitLocker Encrypt All Drives",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\edptask.dll",
"md5": "45ed986a4271a0f5d9a27161af5a76ee",
"name": "BitLocker MDM policy Refresh",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\wininet.dll",
"md5": "7f361d95066553e70da7a5329a429254",
"name": "CacheTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\mscms.dll",
"md5": "77f81e7a53a7192fefebd9db113709d5",
"name": "Calibration Loader",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\cscript.exe",
"md5": "60ddaf328f6469c00a3fa14aaafed361",
"name": "CleanupOldPerfLogs",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\rundll32.exe",
"md5": "f5b2d37bed0d2b15957736c23b9f547f",
"name": "CleanupTemporaryState",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\cmd.exe",
"md5": "e7a6b1f51efb405287a8048cfa4690f4",
"name": "Collection",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\cmd.exe",
"md5": "e7a6b1f51efb405287a8048cfa4690f4",
"name": "Configuration",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\wsqmcons.exe",
"md5": "0d229f8045fb12b584143ac82cbd1dcd",
"name": "Consolidator",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\shell32.dll",
"md5": "49cf1d96abbacab759a043253677219f",
"name": "CreateObjectTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\CloudExperienceHostBroker.exe",
"md5": "8b4432582d6c68e5296e7f8cc8a3b8bc",
"name": "CreateObjectTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\ngctasks.dll",
"md5": "41fe9b51f30b9ff1a8fe4d724d6c7940",
"name": "CryptoPolicyTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\discan.dll",
"md5": "db01ce5db38cdc5f30537c129afc577c",
"name": "Data Integrity Check And Scan",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\discan.dll",
"md5": "db01ce5db38cdc5f30537c129afc577c",
"name": "Data Integrity Scan",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\discan.dll",
"md5": "db01ce5db38cdc5f30537c129afc577c",
"name": "Data Integrity Scan for Crash Recovery",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\devicecensus.exe",
"md5": "2a33b4af5c4a152eed1c53bd39e99534",
"name": "Device",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\pnppolicy.dll",
"md5": "c9b1ab4b3f3f77e6513ce26b50215bc4",
"name": "Device Install Group Policy",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\pnpui.dll",
"md5": "303788cfdf6ca3f929badd3be92ed879",
"name": "Device Install Reboot Required",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\devicecensus.exe",
"md5": "2a33b4af5c4a152eed1c53bd39e99534",
"name": "Device User",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\dsregtask.dll",
"md5": "f64089d434bb3fb387f51d7525c56ea4",
"name": "Device-Sync",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\disksnapshot.exe",
"md5": "5536352f520d36eb7079647214ac9fa0",
"name": "Diagnostics",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\directxdatabaseupdater.exe",
"md5": "26e02368365619d57d7a32cc37de35e1",
"name": "DirectXDatabaseUpdater",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\dstokenclean.exe",
"md5": "8c9493c2c59e6a7f667ea3355620ce48",
"name": "DsSvcCleanup",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\dxgiadaptercache.exe",
"md5": "fbcff8772630726ef5f00f26a3bcb437",
"name": "DXGIAdapterCache",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\edptask.dll",
"md5": "45ed986a4271a0f5d9a27161af5a76ee",
"name": "EDP App Launch Task",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\edptask.dll",
"md5": "45ed986a4271a0f5d9a27161af5a76ee",
"name": "EDP Auth Task",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\edptask.dll",
"md5": "45ed986a4271a0f5d9a27161af5a76ee",
"name": "EDP Inaccessible Credentials Task",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\AppLockerCsp.dll",
"md5": "20b0cc726f9d3fcf3b659f6a132e1e00",
"name": "EDP Policy Manager",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\MitigationConfiguration.dll",
"md5": "0a9e147ff4d7f8212f0de006c52d865b",
"name": "ExploitGuard MDM policy Refresh",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\TimeSyncTask.dll",
"md5": "c42636381538cbf55ac6ad954519f1f0",
"name": "ForceSynchronizeTime",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\gathernetworkinfo.vbs",
"md5": "da4d4261a43de7e851a9378ed0668eb9",
"name": "GatherNetworkInfo",
"signed": true
},
{
"fullpath": "",
"md5": null,
"name": "HiveUploadTask",
"signed": false
},
{
"fullpath": "C:\\Windows\\System32\\srchadmin.dll",
"md5": "945162746b51b6082425edac70cd3774",
"name": "IndexerAutomaticMaintenance",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\LanguageComponentsInstaller.dll",
"md5": "742c212ba7f256577168aeee2b00fb7c",
"name": "Installation",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\wdc.dll",
"md5": "7939c5b180bd8153f670f8231a401c75",
"name": "Interactive",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\ngctasks.dll",
"md5": "41fe9b51f30b9ff1a8fe4d724d6c7940",
"name": "KeyPreGenTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\clipup.exe",
"md5": "2220d1075b5e7e90ba4f4f8a0e701e45",
"name": "License Validation",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\InputCloudStore.dll",
"md5": "13208dbfbbcfbad9cd0e6ab59f72bdec",
"name": "LocalUserSyncDataAvailable",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\sc.exe",
"md5": "6fb10cd439b40d92935f8f6a0c99670a",
"name": "LoginCheck",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\cscui.dll",
"md5": "14eef80c58f9c7bffdbc5cb4867d5824",
"name": "Logon Synchronization",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\lpremove.exe",
"md5": "2140dccdd4dab65241c309df02ce09a2",
"name": "LPRemove",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\rundll32.exe",
"md5": "f5b2d37bed0d2b15957736c23b9f547f",
"name": "MaintenanceTasks",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\mapstoasttask.dll",
"md5": "24c2e7e8b529023ee167dd68164cced7",
"name": "MapsToastTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\mapsupdatetask.dll",
"md5": "984960ba9e02bb161f0315f37eb9bde2",
"name": "MapsUpdateTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\DeviceSetupManagerAPI.dll",
"md5": "bb7755132e04b89f006522fa69ed8f38",
"name": "Metadata Refresh",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\compattelrunner.exe",
"md5": "003339d6b38472f62b5da9c5d31f24ea",
"name": "Microsoft Compatibility Appraiser",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\rundll32.exe",
"md5": "f5b2d37bed0d2b15957736c23b9f547f",
"name": "Microsoft-Windows-DiskDiagnosticDataCollector",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\dfdwiz.exe",
"md5": "be2d2340e25e4a5700381c8097af152b",
"name": "Microsoft-Windows-DiskDiagnosticResolver",
"signed": true
},
{
"fullpath": "c:\\program files (x86)\\microsoft\\edgeupdate\\microsoftedgeupdate.exe",
"md5": "8661fbb97161096be503cd295aa46409",
"name": "MicrosoftEdgeUpdateTaskMachineCore1d867a83717e5b7",
"signed": true
},
{
"fullpath": "c:\\program files (x86)\\microsoft\\edgeupdate\\microsoftedgeupdate.exe",
"md5": "8661fbb97161096be503cd295aa46409",
"name": "MicrosoftEdgeUpdateTaskMachineUA",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\rasmbmgr.dll",
"md5": "c657bc27aae838fc3a295d51ac20a953",
"name": "MobilityManager",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\InputCloudStore.dll",
"md5": "13208dbfbbcfbad9cd0e6ab59f72bdec",
"name": "MouseSyncDataAvailable",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\MsCtfMonitor.dll",
"md5": "f545384f0b0ca857197904a6092b3f16",
"name": "MsCtfMonitor",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\locationnotificationwindows.exe",
"md5": "a259819d5f8de86ff28546f4ded16f35",
"name": "Notifications",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\MBMediaManager.dll",
"md5": "c1ce23565a9cadef865aedd6c041a2c4",
"name": "OobeDiscovery",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\rundll32.exe",
"md5": "f5b2d37bed0d2b15957736c23b9f547f",
"name": "PcaPatchDbTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\InputCloudStore.dll",
"md5": "13208dbfbbcfbad9cd0e6ab59f72bdec",
"name": "PenSyncDataAvailable",
"signed": true
},
{
"fullpath": "",
"md5": null,
"name": "PerformRemediation",
"signed": false
},
{
"fullpath": "C:\\Windows\\system32\\appidpolicyconverter.exe",
"md5": "69a6bef4903650d20c12cbeff41367b0",
"name": "PolicyConverter",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\rundll32.exe",
"md5": "f5b2d37bed0d2b15957736c23b9f547f",
"name": "Pre-staged app cleanup",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\pstask.dll",
"md5": "796fb59bbf6e037b8a0c7646e6ea7a9e",
"name": "ProactiveScan",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\MemoryDiagnostic.dll",
"md5": "8354fde902ba277b46c92175466438ef",
"name": "ProcessMemoryDiagnosticEvents",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\compattelrunner.exe",
"md5": "003339d6b38472f62b5da9c5d31f24ea",
"name": "ProgramDataUpdater",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\srmclient.dll",
"md5": "b2037c5822de4fc8107d952b55d7f107",
"name": "Property Definition Sync",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\rundll32.exe",
"md5": "f5b2d37bed0d2b15957736c23b9f547f",
"name": "Proxy",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\wermgr.exe",
"md5": "ada54642a633e778222008de627b5db5",
"name": "QueueReporting",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\fcon.dll",
"md5": "3f6291e0a27897796b7f91d6402578e3",
"name": "ReconcileFeatures",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\dsregcmd.exe",
"md5": "f4c8c7def69c3fcaf375db9a7710fd35",
"name": "Recovery-Check",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\wosc.dll",
"md5": "feed4b9d117a6a512d93ca4e2c060419",
"name": "RefreshCache",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\regidle.dll",
"md5": "f4608228b68515fe0ea440e1865f77c6",
"name": "RegIdleBackup",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\sc.exe",
"md5": "6fb10cd439b40d92935f8f6a0c99670a",
"name": "Registration",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\usoclient.exe",
"md5": "e4fd0a267e8d740f62e3ddf99917cbcc",
"name": "Report policies",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\wdi.dll",
"md5": "90bec7af03968f67bca4a1da50b042db",
"name": "ResolutionHost",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\MemoryDiagnostic.dll",
"md5": "8354fde902ba277b46c92175466438ef",
"name": "RunFullMemoryDiagnostic",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\InstallServiceTasks.dll",
"md5": "855ebaa8373521bd3d39f282d36a2ba3",
"name": "ScanForUpdates",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\InstallServiceTasks.dll",
"md5": "855ebaa8373521bd3d39f282d36a2ba3",
"name": "ScanForUpdatesAsUser",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\usoclient.exe",
"md5": "e4fd0a267e8d740f62e3ddf99917cbcc",
"name": "Schedule Maintenance Work",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\usoclient.exe",
"md5": "e4fd0a267e8d740f62e3ddf99917cbcc",
"name": "Schedule Scan",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\usoclient.exe",
"md5": "e4fd0a267e8d740f62e3ddf99917cbcc",
"name": "Schedule Scan Static Task",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\usoclient.exe",
"md5": "e4fd0a267e8d740f62e3ddf99917cbcc",
"name": "Schedule Wake To Work",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\usoclient.exe",
"md5": "e4fd0a267e8d740f62e3ddf99917cbcc",
"name": "Schedule Work",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\sdiagschd.dll",
"md5": "c7ceb5a1f22da23b718712cb252df58a",
"name": "Scheduled",
"signed": true
},
{
"fullpath": "c:\\windows\\system32\\sc.exe",
"md5": "6fb10cd439b40d92935f8f6a0c99670a",
"name": "Scheduled Start",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\defrag.exe",
"md5": "2e190d98b46b93e62f68841216addd31",
"name": "ScheduledDefrag",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\sdndiagnosticstask.exe",
"md5": "f56edf564602897934978c3a27ffa65b",
"name": "SDN Diagnostics Task",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\TpmTasks.dll",
"md5": "e10d2a03386c5056b0453f37b5ed5a66",
"name": "Secure-Boot-Update",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\srvinitconfig.exe",
"md5": "4273af0631f9c5d86bef8fb1687320b0",
"name": "Server Initial Configuration Task",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\rundll32.exe",
"md5": "f5b2d37bed0d2b15957736c23b9f547f",
"name": "Server Manager Performance Monitor",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\servermanagerlauncher.exe",
"md5": "548f7e09b5824e7c66a5e3174f8abe38",
"name": "ServerManager",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\oobe\\SetupCleanupTask.dll",
"md5": "6f06af96d37e95e4361943ad96152db4",
"name": "SetupCleanupTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\cleanmgr.exe",
"md5": "1a52c127fd0638bc2724765969c60b18",
"name": "SilentCleanup",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\InstallServiceTasks.dll",
"md5": "855ebaa8373521bd3d39f282d36a2ba3",
"name": "SmartRetry",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\spaceagent.exe",
"md5": "0468be9a2369f777c26944e5a55aa357",
"name": "SpaceAgentTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\spaceman.exe",
"md5": "fede04bb5054ee911cd363c2c5e9eae4",
"name": "SpaceManagerTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\speech_onecore\\common\\speechmodeldownload.exe",
"md5": "0198cb2290a8ba095c79494c70fdd24d",
"name": "SpeechModelDownloadTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\TpmTasks.dll",
"md5": "e10d2a03386c5056b0453f37b5ed5a66",
"name": "Sqm-Tasks",
"signed": true
},
{
"fullpath": "",
"md5": null,
"name": "StartComponentCleanup",
"signed": false
},
{
"fullpath": "C:\\Windows\\system32\\rundll32.exe",
"md5": "f5b2d37bed0d2b15957736c23b9f547f",
"name": "StartupAppTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\TieringEngineService.exe",
"md5": "a86dc1b6dc847669ef04a290fe53dd00",
"name": "Storage Tiers Management Initialization",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\defrag.exe",
"md5": "2e190d98b46b93e62f68841216addd31",
"name": "Storage Tiers Optimization",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\edptask.dll",
"md5": "45ed986a4271a0f5d9a27161af5a76ee",
"name": "StorageCardEncryption Task",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\StorageUsage.dll",
"md5": "03cc10ff04282f400550980f7db446e3",
"name": "StorageSense",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\sppcext.dll",
"md5": "9caaf31c430fb739eb183b8465e57527",
"name": "SvcRestartTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\sppcext.dll",
"md5": "9caaf31c430fb739eb183b8465e57527",
"name": "SvcRestartTaskLogon",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\sppcext.dll",
"md5": "9caaf31c430fb739eb183b8465e57527",
"name": "SvcRestartTaskNetwork",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\CoreGlobConfig.dll",
"md5": "12d3ccc0bb2e767fbfb939d9f67f292a",
"name": "Synchronize Language Settings",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\sc.exe",
"md5": "6fb10cd439b40d92935f8f6a0c99670a",
"name": "SynchronizeTime",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\tzsync.exe",
"md5": "5f35acc7c00591d50552ef7bbf02c99a",
"name": "SynchronizeTimeZone",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\bcdboot.exe",
"md5": "5db087d20a396ca780e453a6aefcbac4",
"name": "SyspartRepair",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\drvinst.exe",
"md5": "99d71c1a835ade7bbe8914e1c99abc62",
"name": "Sysprep Generalize Drivers",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\PlaySndSrv.dll",
"md5": "9e29f169c3709059eec0927218fc012e",
"name": "SystemSoundsService",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\dimsjob.dll",
"md5": "051ec97c93e31707f84f334af2b130d7",
"name": "SystemTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\TempSignedLicenseExchangeTask.dll",
"md5": "4ec2e7dd80dc186e27d8ff7c75f39d22",
"name": "TempSignedLicenseExchange",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\InputCloudStore.dll",
"md5": "13208dbfbbcfbad9cd0e6ab59f72bdec",
"name": "TouchpadSyncDataAvailable",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\TpmTasks.dll",
"md5": "e10d2a03386c5056b0453f37b5ed5a66",
"name": "Tpm-HASCertRetr",
"signed": true
},
{
"fullpath": "C:\\Windows\\system32\\TpmTasks.dll",
"md5": "e10d2a03386c5056b0453f37b5ed5a66",
"name": "Tpm-Maintenance",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\LanguageComponentsInstaller.dll",
"md5": "742c212ba7f256577168aeee2b00fb7c",
"name": "Uninstallation",
"signed": true
},
{
"fullpath": "C:\\Windows\\SYSTEM32\\bthudtask.exe",
"md5": "8b5a37ab9140906cd4d0eba1af316fd5",
"name": "UninstallDeviceTask",
"signed": true
},
{
"fullpath": "C:\\Program Files\\windows media player\\wmpnscfg.exe",
"md5": "ec604a0d8a27976ab136a489d9b6aa76",
"name": "UpdateLibrary",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\Windows.UI.Immersive.dll",
"md5": "9317b7ddf5e59f1baf3f5b8c4024e39d",
"name": "UpdateUserPictureTask",
"signed": true
},
{
"fullpath": "C:\\Windows\\SYSTEM32\\sc.exe",
"md5": "6fb10cd439b40d92935f8f6a0c99670a",
"name": "UPnPHostConfig",
"signed": true
},
{
"fullpath": "C:\\Windows\\System32\\fcon.dll",
"md5"