package server

Get desktop application:
View/edit binary Protocol Buffers messages

Used by containers to signal the "alerting" container

• string type = 1

  Currently just "slack"

• string text = 2

  Text to send for the alert

• string originating_service = 3

  The service the message originated from (optional)

Used in: FileDataEnriched

• oneof analysis_type

  • DotnetAnalysis dotnet_analysis = 1

Used in: ParsedData

• repeated ConnectionString connection_strings = 1

• repeated JWTToken jwt_tokens = 2

Used in: ParsedData

• string type = 1

• bool is_encrypted = 3

• uint32 uncompressed_size = 5

• optional string encryption_hash = 7

  *2john hash representing the archive password

• repeated Archive.ArchiveEntry entries = 10

Used in: Archive

• string name = 1

• bool is_dir = 2

• uint32 compress_size = 3

• uint32 uncompress_size = 4

• optional google.protobuf.Timestamp last_modified = 5

Data that may be used to authenticate to a resource. The resource does not need to be accessible over a network and a local resource may be specified using the file:// scheme in the URI parameter. The type data may be anything that may be used to authenticate such as a password, certificate, JWT, SAML token, TGT, NTLM hash, private key, etc. The authentication data does not need to be additionally encoded because all ODR string parameters already support hex encoding values. ODR: `authentication_data`, defined in docs/odr/references/authentication_data.md See authentication_data.md for supported "type" values.

Used in: AuthenticationDataIngestionMessage

• string data = 1

  Case sensitive data or a Nemesis UUID reference (if over 1k)

• string type = 2

  type of the authentication data

• bool is_file = 3

  Boolean for if data is a reference to a binary submission

• string uri = 4

  Location of where the data is valid

• string username = 5

  Simple or FQDN username

• string notes = 6

  any additional notes/context

• string originating_object_id = 7

  the Nemesis UUID referencing the original file the hash was extracted from (if applicable)

• optional Metadata metadata = 1

• repeated AuthenticationDataIngestion data = 2

Used in: FileDataEnriched

• bool canaries_present = 1

• repeated Canaries.Canary canaries = 2

Used in: Canaries

• string type = 1

• repeated string data = 2

Used in: ChromiumCookieMessage

• string originating_object_id = 1

• string user_data_directory = 2

• string username = 3

• string browser = 4

• string host_key = 5

• string name = 6

• string path = 7

• optional google.protobuf.Timestamp creation = 8

• optional google.protobuf.Timestamp expires = 9

• optional google.protobuf.Timestamp last_access = 10

• optional google.protobuf.Timestamp last_update = 11

• bool is_secure = 12

• bool is_httponly = 13

• bool is_session = 14

• string samesite = 15

• int32 source_port = 16

• bytes value_enc = 20

• string encryption_type = 21

• string masterkey_guid = 22

• bool is_decrypted = 24

• string value_dec = 25

• string classification = 30

  added in enrichment

• optional Metadata metadata = 1

• repeated ChromiumCookie data = 2

Used in: ParsedData

• string user_data_directory = 1

• string browser = 2

• string username = 3

• uint32 cookies_count = 4

Used in: ChromiumDownloadMessage

• string originating_object_id = 1

• string user_data_directory = 2

• string username = 3

• string browser = 4

• string url = 5

• string download_path = 6

• optional google.protobuf.Timestamp start_time = 7

• optional google.protobuf.Timestamp end_time = 8

• uint64 total_bytes = 9

• string danger_type = 10

• optional Metadata metadata = 1

• repeated ChromiumDownload data = 2

Used in: ChromiumHistoryMessage

• string originating_object_id = 1

• string user_data_directory = 2

• string username = 3

• string browser = 4

• string url = 5

• string title = 6

• uint32 visit_count = 7

• uint32 typed_count = 8

• optional google.protobuf.Timestamp last_visit_time = 9

Used in: ParsedData

• string user_data_directory = 1

• string browser = 2

• string username = 3

• uint32 urls_count = 4

• uint32 downloads_count = 5

• optional Metadata metadata = 1

• repeated ChromiumHistoryEntry data = 2

Used in: ChromiumLoginMessage

• string originating_object_id = 1

• string user_data_directory = 2

• string username = 3

• string browser = 4

• string origin_url = 5

• string username_value = 6

• string signon_realm = 7

• optional google.protobuf.Timestamp date_created = 8

• optional google.protobuf.Timestamp date_last_used = 9

• optional google.protobuf.Timestamp date_password_modified = 10

• uint32 times_used = 11

• bytes password_value_enc = 15

• string encryption_type = 16

• string masterkey_guid = 17

• bool is_decrypted = 20

• string password_value_dec = 21

• optional Metadata metadata = 1

• repeated ChromiumLogin data = 2

Used in: ParsedData

• string user_data_directory = 1

• string browser = 2

• string username = 3

• uint32 logins_count = 4

Used in: ChromiumStateFileMessage, ParsedData

• string user_data_directory = 1

• string browser = 2

• string username = 3

• optional google.protobuf.Timestamp installation_date = 5

• uint32 launch_count = 6

• string masterkey_guid = 10

• bytes key_bytes_enc = 11

• bytes app_bound_fixed_data_enc = 12

• bool is_decrypted = 13

• bytes key_bytes_dec = 14

• bytes app_bound_fixed_data_dec = 15

• string originating_object_id = 20

• optional Metadata metadata = 1

• repeated ChromiumStateFile data = 2

Used in: AppSettings, WebConfig

• string name = 1

• string provider_name = 2

• string connection_string = 3

• optional DatabaseCredential database_credential = 4

Used in: CookieIngestionMessage

• string user_data_directory = 1

  Path of the user data folder, if known.

• string domain = 2

  Domain/host_key for the cookie

• string path = 3

  Path on the domain for the cookie.

• string name = 4

  Name of the cookie value.

• string value = 5

  Plaintext decrypted cookie value (if decrypted).

• string value_enc = 6

  Base64 encoding of encrypted value bytes.

• optional google.protobuf.Timestamp expires = 10

  Timestamp of when the cookie expires.

• optional google.protobuf.Timestamp creation = 11

  Timestamp of when the cookie was created.

• optional google.protobuf.Timestamp last_access = 12

  Timestamp of when the cookie was last accessed.

• optional google.protobuf.Timestamp last_update = 13

  Timestamp of when the cookie was last updated.

• bool secure = 15

  True/1 if the cookie can only be accessed by the server.

• bool http_only = 16

  True/1 if the cookie can only be accessed by the server.

• bool session = 17

  True if the cookie is deleted when the user closes their browser.

• string samesite = 18

  STRICT/LAX/NONE, protection against CSRF attacks.

• uint32 source_port = 19

  The port number of the source origin.

• optional Metadata metadata = 1

• repeated CookieIngestion data = 2

Used in: ConnectionString

• string type = 1

• string server = 2

• string database = 3

• string username = 4

• string password = 5

Used in: Imports

• string name = 1

• repeated Symbol symbols = 2

Used in: RegHiveSecurity

• bool is_decrypted = 1

  true if the hive values are decrypted

• bytes enc_raw_value = 2

  raw bytes extracted from the registry key

• string domain_long = 3

  DOMAIN.CORP/username

• string user_name = 4

  username

• int32 iteration_count = 5

  counts for Vista style iteration

• bytes cached_hash = 6

  bytes of the decoded domain cached hash

• string answer = 7

  string representation of the crackable hash

• optional google.protobuf.Timestamp timestamp = 8

  timestamp of the login, UTC

Used in: Analysis

• bool has_deserialization = 1

• bool has_cmd_execution = 2

• bool has_remoting = 3

• repeated string remoting_channels = 5

• bool is_wcf_server = 7

• bool is_wcf_client = 9

• repeated DotnetAnalysis.GadgetCall serialization_gadget_calls = 11

• repeated DotnetAnalysis.GadgetCall wcf_server_calls = 13

• repeated DotnetAnalysis.GadgetCall client_calls = 15

• repeated DotnetAnalysis.GadgetCall remoting_calls = 17

• repeated DotnetAnalysis.GadgetCall cmd_execution_calls = 19

Used in: DotnetAnalysis

• string gadget_name = 1

• string method_name = 2

• string filter_level = 3

Used in: ParsedData

• optional Header header = 1

• optional Exports exports = 3

• optional Imports imports = 5

• optional VersionInfo version_info = 7

• repeated string string_resources = 9

• repeated Signature signatures = 11

• repeated Resource resources = 13

• string pdb_string = 15

• string dotnet_version = 17

• repeated Typeref typerefs = 19

• repeated ImplMapEntry impl_map_entries = 21

Used in: DpapiBlobMessage

• string dpapi_blob_id = 1

  unique identifier so originating documents can keep track of which DPAPI blobs were extracted from it in this case this ID does NOT refer to a file in S3

• string originating_object_id = 3

  the Nemesis UUID referencing the original file the dpapi blob was extracted from

• string originating_registry_id = 4

  the Nemesis UUID referencing the registry key the dpapi blob was extracted from

• string masterkey_guid = 5

  the GUID of the masterkey for the blob

• bool is_file = 7

  true if enc_data/dec_data are references to a binary submission (UUID in S3)

• bool is_decrypted = 9

  true if the dpapi blob has been decrypted

• bytes enc_data_bytes = 11

  If the encrypted data is < 1024 bytes it will be stored as bytes in this field

• string enc_data_object_id = 13

  If the encrypted data is > 1024 bytes it will be will be stored in S3 as a UUID file

• bytes dec_data_bytes = 15

  If the decrypted data is < 1024 bytes it will be stored as bytes in this field

• string dec_data_object_id = 17

  If the decrypted data is > 1024 bytes it will be will be stored in S3 as a UUID file

• optional Metadata metadata = 1

• repeated DpapiBlob data = 2

not yet used

https://github.com/fortra/impacket/blob/8799a1a2c42ad74423841d21ed5f4193ea54f3d5/impacket/dpapi.py#L850-L862

Used in: DpapiCredentialFile

• uint32 flags = 1

• string keyword = 2

• bytes data = 3

Used in: ParsedData

• string dpapi_blob_id = 1

  unique identifier of the carved DPAPI blob ID that decrypts to the data below TODO: how to exactly handle this being decrypted?

• optional google.protobuf.Timestamp last_written = 5

• DpapiCredentialFile.CREDENTIAL_FLAGS flags = 6

• DpapiCredentialFile.CREDENTIAL_PERSIST persist = 7

• DpapiCredentialFile.CREDENTIAL_TYPE type = 8

• string comment = 10

• string target = 12

• string target_alias = 14

• string username = 16

• string credential = 18

• repeated DpapiCredentialAttribute credential_attribute = 20

https://github.com/fortra/impacket/blob/8799a1a2c42ad74423841d21ed5f4193ea54f3d5/impacket/dpapi.py#L196-L204

Used in: DpapiCredentialFile

• CRED_FALGS_UNKNOWN = 0

• CRED_FLAGS_PASSWORD_FOR_CERT = 1

• CRED_FLAGS_PROMPT_NOW = 2

• CRED_FLAGS_USERNAME_TARGET = 4

• CRED_FLAGS_OWF_CRED_BLOB = 8

• CRED_FLAGS_REQUIRE_CONFIRMATION = 16

• CRED_FLAGS_WILDCARD_MATCH = 32

• CRED_FLAGS_VSM_PROTECTED = 64

• CRED_FLAGS_NGC_CERT = 128

https://github.com/fortra/impacket/blob/8799a1a2c42ad74423841d21ed5f4193ea54f3d5/impacket/dpapi.py#L216-L220

Used in: DpapiCredentialFile

• CRED_PERSIST_NONE = 0

• CRED_PERSIST_SESSION = 1

• CRED_PERSIST_LOCAL_MACHINE = 2

• CRED_PERSIST_ENTERPRISE = 3

https://github.com/fortra/impacket/blob/8799a1a2c42ad74423841d21ed5f4193ea54f3d5/impacket/dpapi.py#L206=L214

Used in: DpapiCredentialFile

• CRED_TYPE_UNKNOWN = 0

• CRED_TYPE_GENERIC = 1

• CRED_TYPE_DOMAIN_PASSWORD = 2

• CRED_TYPE_DOMAIN_CERTIFICATE = 3

• CRED_TYPE_DOMAIN_VISIBLE_PASSWORD = 4

• CRED_TYPE_GENERIC_CERTIFICATE = 5

• CRED_TYPE_DOMAIN_EXTENDED = 6

• CRED_TYPE_MAXIMUM = 7

• CRED_TYPE_MAXIMUM_EX = 8

Used in: DpapiDomainBackupkeyMessage

• string domain_backupkey_guid = 1

  the unique GUID identifying the domain backup key

• string domain_controller = 3

  the FQDN of the domain controller the backup key was retrieved from

• bytes domain_backupkey_bytes = 5

  the actual bytes of the domain backupkey

• optional Metadata metadata = 1

• repeated DpapiDomainBackupkey data = 2

also used in ParsedData

Used in: DpapiMasterkeyMessage, ParsedData

• string object_id = 1

  the Nemesis UUID returned by the web-api/file endpoint, also the name the file is stored as in S3

• string type = 2

  whether this is a "domain_user, "local_user", or "machine" masterkey

• string username = 3

  the username the masterkey belongs to

• string user_sid = 4

  the SID of the user the masterkey belongs to

• string masterkey_guid = 5

  the GUID that identifies that masterkey

• bool is_decrypted = 6

  true if the key has been decrypted

• bytes masterkey_bytes = 7

  the raw bytes of the masterkey subkey

• string domain_backupkey_guid = 10

  GUID of the domain master/backup key

• bytes domainkey_pb_secret = 11

  bytes encrypted by the domain backup key

• bytes decrypted_key_full = 12

  the full decrypted master key

• bytes decrypted_key_sha1 = 13

  the sha1 representation of the masterkey

• optional Metadata metadata = 1

• repeated DpapiMasterkey data = 2

Generic Error message

• string error = 1

Used in: ParsedData

• string converted_csv = 1

  Nemesis UUID

• string converted_json = 3

  Nemesis UUID

• string originating_object_id = 5

  Nemesis UUID

Used in: DotnetAssembly, Pe

• repeated Symbol symbols = 1

Hashes extracted from processed files

Used in: ExtractedHashMessage

• string hash_type = 1

  md5/sha1/etc.

• string hash_value = 2

  actual hash data

• string originating_object_id = 3

  the Nemesis UUID referencing the original file the hash was extracted from

• string hashcat_formatted_value = 5

  hash value formatted for Hashcat

• string jtr_formatted_value = 6

  hash value formatted for JohnTheRipper

• bool is_cracked = 10

  whether the hash has been cracked

• string jtr_pot_line = 11

  if cracked, the jtr pot value

• bool checked_against_top_passwords = 12

  whether the value was checked against the top X passwords with JTR

• string plaintext_value = 13

  if cracked, the plaintext value

• bool is_submitted_to_cracker = 20

  not yet used

• optional google.protobuf.Timestamp cracker_submission_time = 21

  not yet used

• optional google.protobuf.Timestamp cracker_cracked_time = 22

  not yet used

• optional Metadata metadata = 1

• repeated ExtractedHash data = 2

Used in: FileDataEnrichedMessage

• string object_id = 1

  the Nemesis UUID returned by the web-api/file endpoint, also the name the file is stored as in S3

• string originating_object_id = 2

  If the file was extracted from another existing file in Nemesis (e.g., a zip or jar), this optional field is the Nemesis UUID referencing the original file

• repeated string enrichments_success = 3

  Enrichments that ran and succeeded

• repeated string enrichments_failure = 4

  Enrichments that ran but failed

• string path = 5

  The path must be in a UNC, file system, or mapped path format. File system and mapped paths must be absolute and use forward slashes for separators (e.g. /).

• uint64 size = 6

  Size of the file, in bytes

• string name = 7

  The base file name

• string extension = 8

  The file extension

• optional FileHashes hashes = 10

  Various hashes for the file

• string nemesis_file_type = 11

  The "Nemesis file type", i.e. any format defined in /cmd/file-processor/file_types/

• string magic_type = 13

  The magic mime type returned from libmagic (a la the `file` command)

• bool is_binary = 15

  True if the file is binary, False if it's text

• bool is_source_code = 16

  True if the file is a supported source code file extension

• bool is_office_doc = 17

  True if the file is an office form consumed by Tika for text extraction

• optional ParsedData parsed_data = 19

  any Nemesis-specific data parsed from the file

• optional Analysis analysis = 21

  any file analysis (e.g., dotnet analysis)

• string converted_pdf = 23

  if the document was converted to a PDF, this is the Nemesis object_id/UUID referring to that file in S3

• optional string extracted_plaintext = 25

  if the document had plaintext extracted, this is the Nemesis object_id/UUID referring to that file in S3

• string extracted_source = 27

  if the binary had source code extracted (i.e., .NET decompilation), this is the Nemesis object_id/UUID referring to that file in S3

• optional NoseyParker noseyparker = 29

  any NoseyParker results if this file wasn't binary

• optional YaraMatches yara_matches = 31

  any Yara rule matches

• optional Canaries canaries = 33

  possible document canaries

• bool contains_dpapi = 40

  true if the file contains DPAPI data

• repeated string dpapi_blobs = 42

  one or more object_id's that refer to DpapiBlob structures that were extracted from this file

• optional Metadata metadata = 1

• repeated FileDataEnriched data = 2

The content of a specific file system resource. The path must be in a UNC, file system, or mapped path format. File system and mapped paths must be absolute and use forward slashes for separators (e.g. /). Paths are expected to be canonicalized but there is no verification of this. ODR: `file_data`, defined in file_data.md

Used in: FileDataIngestionMessage

• string object_id = 1

  Nemesis UUID referring to the uploaded file

• string path = 2

  Case sensitive file path

• uint64 size = 3

  Size of the file, in bytes

• string originating_object_id = 4

  If the file was extracted from another existing file in Nemesis (e.g., a zip or jar), this optional field is the Nemesis UUID referencing the original file

• optional Metadata metadata = 1

• repeated FileDataIngestion data = 2

Used in: FileDataPlaintextMessage

• string object_id = 1

  the Nemesis UUID referencing the plaintext file in S3

• repeated string enrichments_success = 2

  Enrichments that ran and succeeded

• repeated string enrichments_failure = 3

  Enrichments that ran but failed

• string originating_object_id = 5

  the Nemesis UUID referencing the original file the plaintext was extracted from

• string originating_object_converted_pdf = 6

  if the originating document was converted to a PDF, this is the Nemesis object_id/UUID referring to that file in S3

• string originating_object_path = 7

  the path of the originating downloaded file/object, if it exists

• uint64 originating_object_size = 8

  the size (in bytes) of the originating file/object, if it exists

• uint64 size = 9

  size of the raw extracted text, in bytes

• uint64 word_count = 10

  number of individual tokens

• string summary = 11

  short summary of the text

• optional NoseyParker noseyparker = 24

  any NoseyParker results (including hashes) for the plaintext

message for text chunks extracted from a FileDataPlaintext document has simplified metadata since it goes straight back to the NLP service after extraction

• uint64 chunk_size = 1

  length of the chunk size, in characters

• string text = 3

  the raw text of the chunk

• string plaintext_object_id = 5

  the Nemesis UUID referencing the plaintext file the chunk came from

• string originating_object_id = 6

  the Nemesis UUID referencing the original file the plaintext was extracted from

• string originating_object_path = 7

  the path of the originating downloaded file/object the plaintext whole originated from, if it exists

• optional Metadata metadata = 1

• repeated FileDataPlaintext data = 2

Used in: FileDataSourcecodeMessage

• string object_id = 1

  the Nemesis UUID referencing the source code file in S3

• string originating_object_id = 2

  If the file was extracted from another existing file in Nemesis (e.g., a zip or jar), this optional field is the Nemesis UUID referencing the original file

• string path = 3

  The path must be in a UNC, file system, or mapped path format. File system and mapped paths must be absolute and use forward slashes for separators (e.g. /).

• string name = 4

  The base file name

• string extension = 5

  The file extension

• string language = 7

  Language for the source code file

• uint64 size = 9

  Size of the file, in bytes

• optional Metadata metadata = 1

• repeated FileDataSourcecode data = 2

Used in: FileDataEnriched

• string md5 = 1

• string sha1 = 2

• string sha256 = 3

Information about a specific file system resource. Note that file_info is more specialized than the path_list submission which may include information about non-file system resources (ex. registry paths). The path must be in a UNC, file system, or mapped path format. File system and mapped paths must be absolute and use forward slashes for separators (e.g. /). Paths are expected to be canonicalized but there is no verification of this. Submission parameters may accommodate files from most operating systems. The only submission parameters that are required is the file path and type. Note that all date time parameters in ODRs including for the modified, access, and creation times for Windows files are expected to be UTC.

Used in: FileInformationIngestionMessage

• string path = 1

  case sensitive file path

• string type = 3

  case insensitive full name of file type currently: file, folder, share

• uint64 size = 5

  size in bytes

• optional google.protobuf.Timestamp creation_time = 7

  file creation time in UTC

• optional google.protobuf.Timestamp access_time = 9

  file last access time in UTC

• optional google.protobuf.Timestamp modification_time = 11

  file modification time in UTC

• uint32 access_mode = 13

  *nix permission number

• string group = 15

  *nix case sensitive file group membership

• string id = 17

  *nix string for an inode or file id

• string owner = 19

  case sensitive owner (*nix and Windows)

• string sddl = 21

  case sensitive Windows permission string

• string version_info = 30

  optional Windows VersionInfo fields

• optional Metadata metadata = 1

• repeated FileInformationIngestion data = 2

Used in: ParsedData

• repeated GroupPolicyPreferences.GroupPolicyPreferencesEntry entries = 1

Used in: GroupPolicyPreferences

• string username = 1

• string cpassword = 2

• string password = 3

• string newname = 4

• string description = 5

• optional google.protobuf.Timestamp changed = 6

• string action = 7

• bool disabled = 8

• bool never_expires = 9

Used in: DotnetAssembly, Pe

• uint32 major_image_version = 1

• uint32 major_linker_version = 2

• uint32 major_operating_system_version = 3

• uint32 major_subsystem_version = 4

• uint32 minor_image_version = 5

• uint32 minor_linker_version = 6

• uint32 minor_operating_system_version = 7

• uint32 minor_subsystem_version = 8

• optional google.protobuf.Timestamp time_date_stamp = 9

Used in: DotnetAssembly

• string module_name = 1

• string function_name = 2

Used in: DotnetAssembly, Pe

• repeated Dll dlls = 1

Used in: AppSettings

• string key = 1

• string issuer = 2

• string audience = 3

• string minutes_to_expiration = 4

Used in: RegHiveSecurity

• string name = 1

  name of the secret

• bool is_decrypted = 2

  true if the value is decrypted

• bytes value_enc = 3

  encrypted bytes of the secret

• bytes value_dec = 4

  decrypted bytes of the secret

• string value_dec_str = 5

  string representation of the decrypted secret

Used in: ParsedData

• string target = 1

• string working_directory = 2

• string command_line_arguments = 3

• string machine_identifier = 4

• string comment = 5

• uint64 target_file_size = 6

• string location = 7

  "local" or "remote"

• bool run_as_admin = 8

• optional google.protobuf.Timestamp creation_time = 10

• optional google.protobuf.Timestamp accessed_time = 11

• optional google.protobuf.Timestamp modified_time = 12

Used in: ParsedData

• repeated McafeeSitelist.McafeeSitelistEntry entries = 1

Used in: McafeeSitelist

• string name = 1

• string type = 2

• string username = 3

• string password = 4

• string password_encrypted = 5

• bool enabled = 6

• bool local = 7

• string server = 8

• string domain_name = 9

• string share_name = 10

• bool useauth = 11

• string relativepath = 12

• bool used_loggedon_user_account = 13

Metadata header that's send with every message to the API ODR: defined in README.md

Used in: AuthenticationDataIngestionMessage, ChromiumCookieMessage, ChromiumDownloadMessage, ChromiumHistoryMessage, ChromiumLoginMessage, ChromiumStateFileMessage, CookieIngestionMessage, DpapiBlobMessage, DpapiDomainBackupkeyMessage, DpapiMasterkeyMessage, ExtractedHashMessage, FileDataEnrichedMessage, FileDataIngestionMessage, FileDataPlaintextMessage, FileDataSourcecodeMessage, FileInformationIngestionMessage, MetadataHeader, NamedPipeIngestionMessage, NetworkAddressIngestionMessage, NetworkConnectionIngestionMessage, PathListIngestionMessage, ProcessEnrichedMessage, ProcessIngestionMessage, ProcessMessage, RawDataIngestionMessage, RegistryValueIngestionMessage, RouteDataIngestionMessage, ServiceEnrichedMessage, ServiceIngestionMessage, TimeDataIngestionMessage

• string agent_id = 1

  Name or unique identifier for an agent

• string agent_type = 2

  Name of the type of agent (ex. beacon)

• bool automated = 3

  If the submission was automatically or manually sent

• string data_type = 4

  Name of the ODR the body must conform to

• string source = 5

  The semi-unique source for the data For host-related data_types, this is the hostname For network-related data_types, this is the network name For AD-related data_types, this is the full qualified domain name

• string project = 6

  Name or unique identifier for a project

• optional google.protobuf.Timestamp timestamp = 7

  Time the C2 platform sent the data to the ODS

• optional google.protobuf.Timestamp expiration = 8

  Time the data should be removed from the ODS

• string message_id = 9

  Name or unique identifier for a message

• optional Metadata metadata = 1

Information about Windows named pipes.

Used in: NamedPipeIngestionMessage

• string name = 1

  Case sensitive name.

• string server_process_name = 2

  Name of the server process that for named pipe, if known

• int32 server_process_id = 3

  PID of the server process that for named pipe, if known

• string server_process_path = 4

  Path of the server process that for named pipe, if known

• string sddl = 5

  Case sensitive Windows permission string

• optional Metadata metadata = 1

• repeated NamedPipeIngestion data = 2

Addresses that may be used to refer to the host the agent is running on or a network resource on the host. Addresses are expected to conform to the public standard for the address type but there is no verification of this. As an example, ethernet addresses are expected to use a hyphen as a separator instead of a colon as per IEEE 802.3 but this is not verified.

Used in: NetworkAddressIngestionMessage

• string address = 1

  Case sensitive address

• string type = 2

  Case insensitive name for the address type TODO: Make into an enum: ipv4, ipv6, mac, host, netbios, spn, ethernet

• string nic = 3

  Name or id for a network interface card

• optional Metadata metadata = 1

• repeated NetworkAddressIngestion data = 2

Connections between the host the agent is running with itself or another host. These could also be listening ports (i.e., netstat output) Addresses are expected to conform to the public standard for the address type but there is no verification of this as well. As an example, ethernet addresses are expected to use a hyphen as a separator instead of a colon as per IEEE 802.3 but this is not verified. The protocol list and matching source and destination lists represent the protocol stack used for a connection. The lists only need to represent a portion of the protocol stack and do not need to represent the entirety of it. The lists allow the ODR to be reused for any connection type an operator may be interested in without having to make a new ODR for each new connection type. local_address is treated as source, remote_address is treated as destination

Used in: NetworkConnectionIngestionMessage

• string local_address = 1

  Local/source address for the connection

• string remote_address = 2

  Remote/destination address for the connection

• string protocol = 3

  Protocol specification ("tcp,ipv4", "udp,ipv4", "tcp,ipv6", etc.)

• string state = 4

  Optional - case insensitive state of the connection (e.g., listen, established, etc.)

• uint32 process_id = 5

  Optional - process ID handling the connection

• string process_name = 6

  Optional - process name/command line handling the connection

• string service = 7

  Optional - service name handling the connection

• optional Metadata metadata = 1

• repeated NetworkConnectionIngestion data = 2

Protobuf representation of NoseyParker JSON output

Used in: FileDataEnriched, FileDataPlaintext

• repeated NoseyParker.RuleMatches rule_matches = 1

• bool has_matches = 2

Used in: Matches

• string charset = 1

• string id = 2

• string mime_essence = 3

• uint32 num_bytes = 4

Used in: Source_span

• uint32 line = 1

• uint32 column = 2

Used in: Matches

• optional Offset_span offset_span = 1

• optional Source_span source_span = 2

Used in: RuleMatches

• string blob_id = 1

• optional BlobMetadata blob_metadata = 2

• optional Location location = 3

• uint32 capture_group_index = 4

• string match_content = 5

• optional Snippet snippet = 6

• string rule_name = 7

• repeated Provenance provenance = 8

Used in: Location

• uint32 start = 1

• uint32 end = 2

Used in: Matches

• string kind = 1

• string path = 2

Used in: NoseyParker

• string rule_name = 1

• uint32 num_matches = 2

• string comment = 3

• string status = 4

• string type = 5

• string match_content = 6

• repeated Matches matches = 7

Used in: Matches

• string before = 1

• string matching = 2

• string after = 3

Used in: Location

• optional Start start = 1

• optional End end = 2

Used in: Source_span

• uint32 line = 1

• uint32 column = 2

.docx/.pptx/.xlsx/etc.

Used in: ParsedData

• string title = 1

• string creator = 2

• optional google.protobuf.Timestamp created = 3

• optional google.protobuf.Timestamp modified = 4

• string description = 5

• string keywords = 6

• string last_modified_by = 7

• string subject = 8

• uint32 revision = 9

• bool is_encrypted = 10

• optional string encryption_hash = 11

  office2john hash representing the document password

.doc/.ppt/.xls/etc.

Used in: ParsedData

• string title = 1

• string creator = 2

• optional google.protobuf.Timestamp created = 3

• optional google.protobuf.Timestamp modified = 4

• string keywords = 5

• string comments = 6

• string last_modified_by = 7

• string subject = 8

• string creating_application = 9

• uint32 total_edit_time = 10

• uint32 num_pages = 11

• uint32 num_slides = 12

• uint32 num_chars = 13

• bool is_encrypted = 15

• optional string encryption_hash = 16

  office2john hash representing the document password

Represents any file data type specifically parsed by Nemesis This is the container for the above section of messages

Used in: FileDataEnriched

• oneof data_type

  • string error = 1

  • Pe pe = 10

  • DotnetAssembly dotnet_assembly = 12

  • Passwd passwd = 14

  • Shadow shadow = 16

  • OfficeDocNew office_doc_new = 17

  • OfficeDocOle office_doc_ole = 18

  • Pdf pdf = 19

  • GroupPolicyPreferences group_policy_preferences = 20

  • McafeeSitelist mcafee_sitelist = 22

  • WebConfig web_config = 24

  • AppSettings appsettings = 26

  • Tomcat tomcat = 28

  • Archive archive = 30

  • Lnk lnk = 31

  • RawParsedData raw_parsed_data = 35

  • DpapiMasterkey dpapi_masterkey = 40

  • DpapiCredentialFile dpapi_credential = 42

    DpapiVault dpapi_vault = 43;

  • ChromiumHistoryFile chromium_history = 45

  • ChromiumLoginsFile chromium_logins = 46

  • ChromiumCookiesFile chromium_cookies = 47

  • ChromiumStateFile chromium_state_file = 48

  • SlackDownloads slack_downloads = 50

  • SlackWorkspaces slack_workspaces = 51

  • RegHiveSystem reg_hive_system = 55

  • RegHiveSecurity reg_hive_security = 56

  • RegHiveSam reg_hive_sam = 57

  • EvtxFile evtx_file = 60

• bool has_parsed_credentials = 5

  true if the parsed data has some kind of hash/password parsed

• bool is_encrypted = 7

  true if the file is encrypted in some way

Used in: ParsedData

• repeated Passwd.PasswdEntry entries = 1

Used in: Passwd

• string username = 1

• string user_id = 2

• string group_id = 3

• string home_directory = 4

• string shell = 5

Child listings for a specified path. The path must be in a UNC, URI, file system, or mapped path format. File system and mapped paths must be absolute and use forward slashes for separators (e.g. /). Paths are expected to be canonicalized but there is no verification of this. The mapped file format may be used to specify a registry keys as well using PowerShell convention of specifying the hive name as the drive (ex. HKLM:).

Used in: PathListIngestionMessage

• string path = 1

  Case sensitive resource path

• repeated string items = 2

  Case sensitive child items

• optional Metadata metadata = 1

• repeated PathListIngestion data = 2

Used in: ParsedData

• uint32 num_pages = 1

• string title = 2

• string author = 3

• string subject = 4

• string creator = 5

• string producer = 6

• optional google.protobuf.Timestamp created = 7

• optional google.protobuf.Timestamp modified = 8

• repeated string keywords = 9

• bool is_encrypted = 10

• optional string encryption_hash = 11

  pdf2john hash representing the document password

Used in: ParsedData

• optional Header header = 1

• optional Exports exports = 2

• optional Imports imports = 3

• optional VersionInfo version_info = 4

• repeated string string_resources = 5

• repeated Signature signatures = 6

Used in ProcessIngestion

Used in: Token

• string sid = 1

  Security identifier, if known

• string name = 2

  Name of the principal, if known. The format should be the Down-Level Logon Name (e.g., DOMAIN\user)

Used in: ProcessMessage

• string name = 1

  The name of the process

• string command_line = 2

  The current command line information

• string file_name = 3

  If known, the file that was executed

• uint32 process_id = 5

  Process id

• uint32 parent_process_id = 7

  Parent process id

• string arch = 8

  Architecture of the process

• optional google.protobuf.Timestamp start_time = 10

  When the process was started

• uint64 memory = 11

  The amount of memory used by the process, in bytes

• optional Token token = 12

  If present, Windows token information

Used in: ProcessEnriched

• string category = 1

  The category of the type of process (AV, EDR, infrastructure, etc.)

• optional string description = 2

  A description of process

Used in: ProcessEnrichedMessage

• optional ProcessIngestion origin = 1

  Original process data ingested

• optional ProcessCategory category = 2

  Categorization information about the process

• repeated string enrichments_success = 3

  Enrichments that ran and succeeded

• repeated string enrichments_failure = 4

  Enrichments that ran but failed

• optional Metadata metadata = 1

• repeated ProcessEnriched data = 2

Information about the currently running processes for the host the agent is running on. The file_name parameter must be in a UNC, file system, or mapped path format. File system and mapped paths must be absolute and use forward slashes for separators (e.g. /). Paths are expected to be canonicalized but there is no verification of this. Submission parameters may accommodate processes information for most operating systems. The only submission parameter that is required is the process id. Note that all start time parameters are expected to be from the Unix epoch.

Used in: ProcessEnriched, ProcessIngestionMessage

• string name = 1

  The name of the process

• string command_line = 2

  The current command line information

• string file_name = 3

  If known, the file that was executed

• int32 process_id = 4

  Process id

• int32 parent_process_id = 5

  Parent process id

• string arch = 6

  Architecture of the process

• optional google.protobuf.Timestamp start_time = 7

  When the process was started

• int64 memory = 8

  The amount of memory used by the process, in bytes

• optional Token token = 9

  If present, Windows token information

• optional Metadata metadata = 1

• repeated ProcessIngestion data = 2

• optional Metadata metadata = 1

• repeated Process data = 2

Data that may consist of anything. Developers and operators may use this type to push arbitrary data to the ODS to take advantage of any builtin or custom automated post processing the ODS performs. Example use cases include daily status reports, C2 logs, and other data that may be unique to the workflow of a team.

Used in: RawDataIngestionMessage

• repeated string tags = 1

  User defined case insensitive keywords

• bool is_file = 2

  Boolean for if data is a reference to a binary submission

• string data = 3

  Raw data or a UUID reference to data in the ODS

• optional Metadata metadata = 1

• repeated RawDataIngestion data = 2

RawParsedData is for unstructured data meant for the user instead of an automated pipeline

Used in: ParsedData

• string data = 1

Used in: ParsedData

• bool is_decrypted = 1

  true if the hive values are decrypted

• bytes f_bytes = 2

  bytes of the encrypted source for the HashedBootKey

• bytes hashed_boot_key = 3

  bytes of the decrypted HashedBootKey

• repeated SamHash sam_hashes = 5

  one or more local SAM hashes

Used in: ParsedData

• bool is_decrypted = 1

  true if the hive values are decrypted

• bool vista_style = 2

  true if hive is post XP

• bytes lsa_secret_key_enc = 5

  enc/dec bytes of the LSASecret

• bytes lsa_secret_key_dec = 6

• bytes nlkm_secret_enc = 7

  enc/dec bytes of the NLKM key

• bytes nlkm_secret_dec = 8

• repeated LSASecret lsa_secrets = 10

  one or more LSA secrets

• repeated DomainCachedCredential domain_cached_credentials = 12

  one or more domain cached creds

Used in: ParsedData

• bytes boot_key = 1

Used in: RegistryValueIngestionMessage

• string key = 1

  Case-sensitive absolute registry key path. Use backslashes for separators (e.g. `HKLM\Software`) This is the only required field since without it the others do not make sense.Alert If all other fields aren't present, this indicates that the key exists and may or may not have values.

• optional string value_name = 2

  (optional) Case sensitive value name. Set this to the empty string to indicate a key's default value.

• optional RegistryValueIngestion.RegistryValueKind value_kind = 3

  (optional) Type of the registry value

• optional string value = 4

  (optional) string representation of the value

• optional string sddl = 5

  (optional) string SDDL representation of key's security descriptor

• optional string tags = 6

  (optional) string comma separated tags for the registry key

Used in: RegistryValueIngestion

• UNKNOWN = 0

• STRING = 1

• EXPAND_STRING = 2

• BINARY = 3

• DWORD = 4

• DWORD_BIG_ENDIAN = 5

• LINK = 6

• MULTI_STRING = 7

• QWORD = 11

• optional Metadata metadata = 1

• repeated RegistryValueIngestion data = 2

Used in DotnetAssembly - TODO: combine into one block

Used in: DotnetAssembly

• string name = 1

• string md5 = 2

• string sha1 = 3

• string sha256 = 4

Network routing rules for the host the agent is running on. The network mask must be specified separately from the destination address. Addresses and network masks are also expected to conform to the public standard for the address type but there is no verification of this.

Used in: RouteDataIngestionMessage

• string destination = 1

  Case sensitive address

• string gateway = 2

  Address of the routing host

• string mask = 3

  Network mask for the destination address

• string nic = 4

  Name or id for a network interface card

• string protocol = 5

  Protocol of the route rule

• optional Metadata metadata = 1

• repeated RouteDataIngestion data = 2

Used in: RegHiveSam

• bool is_decrypted = 1

  true if the value is decrypted

• bool new_style = 2

  true if the hash is a "new style" hash

• string username = 3

  name of the local user account

• uint32 rid = 4

  RID of the local user account

• bytes lm_hash_enc = 5

  bytes of the enc/dec LM hash value

• bytes lm_hash_dec = 6

• bytes nt_hash_enc = 7

  bytes of the enc/dec NT hash value

• bytes nt_hash_dec = 8

• string answer = 10

  string representation of the total hash

Used in: ServiceEnrichedMessage

• optional ServiceIngestion origin = 1

  Original service data ingested

• string category = 2

  Categorization information about the service

• repeated string enrichments_success = 3

  Enrichments that ran and succeeded

• repeated string enrichments_failure = 4

  Enrichments that ran but failed

• optional Metadata metadata = 1

• repeated ServiceEnriched data = 2

Information about Windows services.

Used in: ServiceEnriched, ServiceIngestionMessage

• string name = 1

  Case sensitive service name.

• string display_name = 2

  Case sensitive service display name.

• string description = 3

  Case sensitive service description

• string start_name = 4

  Case sensitive username the service starts as

• string state = 5

  Case insensitive state of the service (running, stopped, etc.)

• string start_mode = 6

  Case insensitive start mode of the service (automatic, disabled, etc.)

• string type = 7

  Case insensitive type of the service.

• string service_command = 8

  Case sensitive, quote-escaped, binary path of the serbice binary + any arguments

• string service_dll = 9

  Case sensitive file path of the service DLL being loaded into SVCHOST

• string service_sddl = 10

  Case sensitive Windows permission string

• optional Metadata metadata = 1

• repeated ServiceIngestion data = 2

Used in: ParsedData

• repeated Shadow.ShadowEntry entries = 1

Used in: Shadow

• string username = 1

• optional google.protobuf.Timestamp password_last_changed = 2

• string password = 3

Used in: DotnetAssembly, Pe

• uint32 version = 1

• repeated string signers = 2

• VerificationFlags verification_flags = 3

Used in: ParsedData

• repeated SlackDownloads.SlackDownload downloads = 1

Used in: SlackDownloads

• string username = 1

• string workspace_id = 2

• string download_id = 3

• string team_id = 4

• string user_id = 5

• string url = 6

• string download_path = 7

• string download_state = 8

• optional google.protobuf.Timestamp start_time = 9

• optional google.protobuf.Timestamp end_time = 10

Used in: ParsedData

• repeated SlackWorkspaces.SlackWorkspace workspaces = 1

Used in: SlackWorkspaces

• string username = 1

• string workspace_id = 2

• string workspace_domain = 3

• string workspace_name = 4

• string workspace_icon_url = 5

Used in: Dll, Exports

• string func_name = 1

• uint64 offset = 2

• int32 ordinal = 3

Used in: TimeDataIngestionMessage

• optional google.protobuf.Timestamp current = 1

  Current time for the host

• uint64 runtime = 2

  How long the host has been running in seconds

• repeated UserTime users = 3

  List of users, their session, and their time logged on

• string zone = 4

  The time zone that the host uses

• optional Metadata metadata = 1

• repeated TimeDataIngestion data = 2

Used in: Process, ProcessIngestion

• optional Principal user = 1

• repeated Principal groups = 2

• repeated Token.TokenPrivilege privileges = 3

• Token.TokenType type = 4

• Token.ImpersonationLevel impersonation_level = 5

• uint32 session = 6

Used in: Token

• IMPERSONATIONLEVEL_UNSPECIFIED = 0

• IMPERSONATIONLEVEL_ANONYMOUS = 1

• IMPERSONATIONLEVEL_IDENTIFICATION = 2

• IMPERSONATIONLEVEL_IMPERSONATION = 3

• IMPERSONATIONLEVEL_DELEGATION = 4

Used in: Token

• string privilege_name = 1

  Privilege name (e.g., SeDebugPrivilege)

• bool enabled = 2

  Is the privileged enabled

Used in: Token

• TOKENTYPE_UNSPECIFIED = 0

• TOKENTYPE_PRIMARY = 1

• TOKENTYPE_IMPERSONATION = 2

Used in: ParsedData

• repeated string roles = 1

• repeated Tomcat.TomcatEntry entries = 2

Used in: Tomcat

• string username = 1

• string password = 2

• repeated string roles = 3

Used in: DotnetAssembly

• string module_name = 1

• string function_name = 2

Current time information about the host the agent is running on. The subparameters of the Users list must delimited by spaces in CSV submissions. Note that all date time parameters are expected to be in UTC from the Unix epoch regardless of what time zone the host uses.

Used in: TimeDataIngestion

• string user = 1

• uint32 session = 2

• uint64 time = 3

Used in Pe - TODO: combine into one block?

Used in: Signature

• OK = 0

• INVALID_SIGNER = 1

• UNSUPPORTED_ALGORITHM = 2

• INCONSISTENT_DIGEST_ALGORITHM = 4

• CERT_NOT_FOUND = 8

• CORRUPTED_CONTENT_INFO = 16

• CORRUPTED_AUTH_DATA = 32

• MISSING_PKCS9_MESSAGE_DIGEST = 64

• BAD_DIGEST = 128

• NO_SIGNATURE = 512

• BAD_SIGNATURE = 256

• CERT_EXPIRED = 1024

• CERT_FUTURE = 2048

Used in: DotnetAssembly, Pe

• string assembly_version = 1

• string comments = 2

• string company_name = 3

• string file_description = 4

• string file_version = 5

• string internal_name = 6

• string legal_copyright = 7

• string legal_trademarks = 8

• string original_filename = 9

• string private_build = 10

• string product_name = 11

• string product_version = 12

• string special_build = 13

Used in: ParsedData

• repeated ConnectionString connection_strings = 1

Used in: FileDataEnriched

• bool yara_matches_present = 1

• repeated YaraMatches.YaraMatch yara_matches = 2

Used in: YaraMatches

• string rule_file = 1

• string rule_name = 2

• string rule_description = 3

• string rule_text = 4

• repeated YaraStringMatch rule_string_matches = 5

Used in: YaraMatch

• string identifier = 1

• repeated YaraStringMatchInstance yara_string_match_instances = 2

Used in: YaraStringMatch

• bytes matched_data = 1

  bytes so we can decode UTF8/UTF16 as appropriate later

• uint64 offset = 2

• uint64 length = 3