forensic_catalog/
references.rs

1//! Authoritative reference catalog for each public module.
2//!
3//! The smaller indicator-table modules expose static data and helper functions,
4//! but their provenance previously lived only in Rust doc comments. This module
5//! makes those references queryable so downstream tools can surface source
6//! material alongside detections, triage hints, or generated reports.
7
8/// Curated source bundle for one public module.
9#[derive(Debug, Clone, Copy, PartialEq, Eq)]
10pub struct ModuleReference {
11    /// Public module name, e.g. `ports` or `persistence`.
12    pub module: &'static str,
13    /// Short summary of what the module covers.
14    pub focus: &'static str,
15    /// Primary reference URLs used to justify the module's coverage.
16    pub urls: &'static [&'static str],
17}
18
19pub const PORTS_REFERENCES: &[&str] = &[
20    "https://isc.sans.edu/port.html",
21    "https://learn.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management",
22    "https://support.torproject.org/tbb/tbb-firewall-ports/",
23    "https://attack.mitre.org/techniques/T1071/",
24];
25
26pub const LOLBINS_REFERENCES: &[&str] = &[
27    "https://lolbas-project.github.io/",
28    "https://gtfobins.github.io/",
29    "https://attack.mitre.org/techniques/T1218/",
30    "https://attack.mitre.org/techniques/T1059/",
31];
32
33pub const PROCESSES_REFERENCES: &[&str] = &[
34    "https://attack.mitre.org/techniques/T1036/",
35    "https://attack.mitre.org/techniques/T1036/005/",
36    "https://learn.microsoft.com/en-us/windows/application-management/svchost-service-refactoring",
37    "https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication",
38];
39
40pub const COMMANDS_REFERENCES: &[&str] = &[
41    "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
42    "https://attack.mitre.org/techniques/T1059/",
43    "https://attack.mitre.org/techniques/T1059/001/",
44    "https://attack.mitre.org/techniques/T1105/",
45];
46
47pub const PATHS_REFERENCES: &[&str] = &[
48    "https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file",
49    "https://refspecs.linuxfoundation.org/FHS_3.0/fhs/index.html",
50    "https://attack.mitre.org/techniques/T1574/001/",
51    "https://attack.mitre.org/techniques/T1574/006/",
52];
53
54pub const PERSISTENCE_REFERENCES: &[&str] = &[
55    "https://attack.mitre.org/techniques/T1547/",
56    "https://attack.mitre.org/techniques/T1053/003/",
57    "https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns",
58    "http://windowsir.blogspot.com/2013/07/howto-detecting-persistence-mechanisms.html",
59];
60
61pub const ANTIFORENSICS_REFERENCES: &[&str] = &[
62    "https://attack.mitre.org/techniques/T1070/",
63    "https://attack.mitre.org/techniques/T1070/001/",
64    "https://attack.mitre.org/techniques/T1070/006/",
65    "http://windowsir.blogspot.com/2023/10/investigating-time-stomping.html",
66];
67
68pub const ENCRYPTION_REFERENCES: &[&str] = &[
69    "https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings",
70    "https://learn.microsoft.com/en-us/windows/win32/fileio/file-encryption",
71    "https://belkasoft.com/veracrypt-forensics",
72    "https://tb-manual.torproject.org/installation/",
73];
74
75pub const REMOTE_ACCESS_REFERENCES: &[&str] = &[
76    "https://lolrmm.io/",
77    "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a",
78    "https://redcanary.com/blog/threat-intelligence/remote-monitoring-management/",
79    "https://www.huntress.com/blog/no-longer-low-hanging-fruit-hunting-for-risky-rmm-tools",
80];
81
82pub const THIRD_PARTY_REFERENCES: &[&str] = &[
83    "https://the.earth.li/~sgtatham/putty/0.78/htmldoc/AppendixC.html",
84    "https://winscp.net/eng/docs/ui_pref_storage",
85    "https://learn.microsoft.com/en-us/sharepoint/sync-client-administration-settings",
86    "https://chromeenterprise.google/policies/",
87];
88
89pub const PCA_REFERENCES: &[&str] = &[
90    "https://andreafortuna.org/2024/windows11-pca-artifact/",
91    "https://attack.mitre.org/techniques/T1204/",
92    "https://attack.mitre.org/techniques/T1059/",
93];
94
95pub const ARTIFACT_REFERENCES: &[&str] = &[
96    "https://docs.rs/forensic-catalog",
97    "https://attack.mitre.org/",
98    "http://windowsir.blogspot.com/",
99    "https://ericzimmerman.github.io/#!index.md",
100];
101
102pub const MODULE_REFERENCES: &[ModuleReference] = &[
103    ModuleReference {
104        module: "artifact",
105        focus: "Unified forensic artifact descriptors with decode logic, triage priority, ATT&CK mappings, and embedded source URLs.",
106        urls: ARTIFACT_REFERENCES,
107    },
108    ModuleReference {
109        module: "ports",
110        focus: "Suspicious or attacker-favored network ports tied to C2, Tor, WinRM, and remote administration.",
111        urls: PORTS_REFERENCES,
112    },
113    ModuleReference {
114        module: "lolbins",
115        focus: "Trusted Windows and Linux binaries commonly abused for proxy execution, scripting, and download/execution chains.",
116        urls: LOLBINS_REFERENCES,
117    },
118    ModuleReference {
119        module: "processes",
120        focus: "Masquerade targets and offensive-tool process names useful for triage and process tree review.",
121        urls: PROCESSES_REFERENCES,
122    },
123    ModuleReference {
124        module: "commands",
125        focus: "Reverse shell, PowerShell abuse, and ingress-tool-transfer command fragments.",
126        urls: COMMANDS_REFERENCES,
127    },
128    ModuleReference {
129        module: "paths",
130        focus: "Trusted library paths and suspicious staging locations across Windows and Linux.",
131        urls: PATHS_REFERENCES,
132    },
133    ModuleReference {
134        module: "persistence",
135        focus: "Windows autoruns and cross-platform persistence locations including cron, systemd, launchd, and registry hijacks.",
136        urls: PERSISTENCE_REFERENCES,
137    },
138    ModuleReference {
139        module: "antiforensics",
140        focus: "Log wiping, timestomping, and rootkit indicators aligned to defense-evasion behavior.",
141        urls: ANTIFORENSICS_REFERENCES,
142    },
143    ModuleReference {
144        module: "encryption",
145        focus: "Registry evidence for disk encryption, credential stores, and dual-use secrecy tools.",
146        urls: ENCRYPTION_REFERENCES,
147    },
148    ModuleReference {
149        module: "remote_access",
150        focus: "Remote monitoring and management tool indicators, especially LOLRMM software frequently abused in intrusions.",
151        urls: REMOTE_ACCESS_REFERENCES,
152    },
153    ModuleReference {
154        module: "third_party",
155        focus: "Forensically valuable artifact paths for SSH clients, cloud sync apps, and browsers.",
156        urls: THIRD_PARTY_REFERENCES,
157    },
158    ModuleReference {
159        module: "pca",
160        focus: "Windows 11 Program Compatibility Assistant execution artifacts and decoding guidance.",
161        urls: PCA_REFERENCES,
162    },
163];
164
165/// Returns all module reference bundles.
166pub fn all_module_references() -> &'static [ModuleReference] {
167    MODULE_REFERENCES
168}
169
170/// Returns the curated source bundle for a module name.
171pub fn module_references(name: &str) -> Option<&'static ModuleReference> {
172    MODULE_REFERENCES
173        .iter()
174        .find(|entry| entry.module.eq_ignore_ascii_case(name))
175}
176
177#[cfg(test)]
178mod tests {
179    use super::*;
180
181    #[test]
182    fn module_reference_index_covers_public_modules() {
183        let modules: Vec<&str> = MODULE_REFERENCES.iter().map(|entry| entry.module).collect();
184        for expected in [
185            "artifact",
186            "ports",
187            "lolbins",
188            "processes",
189            "commands",
190            "paths",
191            "persistence",
192            "antiforensics",
193            "encryption",
194            "remote_access",
195            "third_party",
196            "pca",
197        ] {
198            assert!(modules.contains(&expected), "missing module reference for {expected}");
199        }
200    }
201
202    #[test]
203    fn every_module_has_at_least_one_url() {
204        for entry in MODULE_REFERENCES {
205            assert!(
206                !entry.urls.is_empty(),
207                "module {} should expose at least one authoritative source",
208                entry.module
209            );
210        }
211    }
212
213    #[test]
214    fn module_lookup_is_case_insensitive() {
215        let entry = module_references("Remote_Access").unwrap();
216        assert_eq!(entry.module, "remote_access");
217    }
218
219    #[test]
220    fn all_module_references_returns_static_slice() {
221        assert_eq!(all_module_references().len(), MODULE_REFERENCES.len());
222    }
223}
forensic_catalog/references.rs

forensic_catalog/
references.rs
