Enum JumpListAnomaly 

pub enum JumpListAnomaly {
    PinnedTarget {
        path: String,
    },
    CrossMachine {
        hostname: String,
        acquisition_host: String,
    },
    MruRecency {
        path: String,
        access_count: Option<u32>,
        last_access: i64,
    },
    AppIdIdentified {
        app_id: String,
        application: &'static str,
    },
}

A graded Jump List anomaly, layered on top of the per-link LnkAnomaly findings (each embedded shell link is audited with audit for free).

Variants

PinnedTarget

A DestList entry is pinned — the user deliberately fixed this target to the application’s Jump List. Provenance, not suspicious on its own.

Fields

path: String

The pinned target path recorded in the DestList.

CrossMachine

A DestList entry’s origin hostname has no match to the acquisition host — consistent with the artifact (or the target) having originated on a different machine. We state only “no match to the acquisition host”.

Fields

hostname: String

The origin hostname recorded in the DestList.

acquisition_host: String

The acquisition host the hostname was compared against.

MruRecency

A DestList entry records MRU recency: a last-access time and an access count — the application’s own usage history for this target.

Fields

path: String

The target path.

access_count: Option<u32>

Access count (Windows 10/11 DestList), when present.

last_access: i64

Last-access time, Unix epoch seconds.

AppIdIdentified

The Jump List’s AppID resolves to a known application — provenance for which program owns this MRU history.

Fields

app_id: String

The AppID (lowercase hex).

application: &'static str

The resolved application name.

Implementations

impl JumpListAnomaly

pub fn code(&self) -> &'static str

The stable, published anomaly code.

Trait Implementations

impl Clone for JumpListAnomaly

fn clone(&self) -> JumpListAnomaly

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for JumpListAnomaly

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Eq for JumpListAnomaly

impl Observation for JumpListAnomaly

fn severity(&self) -> Option<Severity>

Severity, or None if the analyzer deliberately does not grade this kind.

fn code(&self) -> &'static str

Stable, scheme-prefixed machine code.

fn category(&self) -> Category

Analytical lens; defaults to Category::from_code of Observation::code. Override when a code’s keyword classification is wrong.

fn note(&self) -> String

Human-readable, consistent-with note.

fn subjects(&self) -> Vec<SubjectRef>

Non-disk subjects this kind is about (default: none).

fn evidence(&self) -> Vec<Evidence>

Backing evidence rows (default: none).

fn mitre(&self) -> &'static [&'static str]

MITRE ATT&CK technique ids this kind is consistent with (default: none).

fn confidence(&self) -> Option<Confidence>

Heuristic confidence, if inferential (default: none).

fn to_finding(&self, source: Source) -> Finding

Assemble the canonical Finding from this kind and its producing source.

impl PartialEq for JumpListAnomaly

fn eq(&self, other: &JumpListAnomaly) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl StructuralPartialEq for JumpListAnomaly