Focus

AutoFocus® API Reference

Linux Artifacts

Table of Contents

Linux Artifacts

The following table provides field names and related information for Linux artifacts.

Field Name	Artifact Type as it Appears on AutoFocus Web Portal	Field Type	Acceptable Values and Examples
sample.tasks.elf_suspicious_behavior	Linux Suspicious Behavior	StringProx	Suspicious behavior from an Linux file based on static analysis. Example: sample contains hard-coded malicious IP address
sample.tasks.elf_functions	Linux Functions	StringProx	Function contained in the Linux file. Example: __libc_sigaction
sample.tasks.elf_commands	Linux Commands	StringProx	Command contained in the Linux file. Example: rm -rf /var/log/wtmp
sample.tasks.elf_file_paths	Linux File Paths	StringProx	File path contained in an Linux file. Example: /var/run
sample.tasks.elf_ip_address	Linux IP Address	StringProx	An IP address detected during Linux sample analysis.
sample.tasks.elf_domains	Linux Domains	StringProx	Domain detected during Linux sample analysis. Example: run.work.
sample.tasks.elf_url	Linux URLs	StringProx	URL detected during Linux sample analysis. Example: http://208.67.1.59/bins.sh.
sample.tasks.elf_command_action	Linux Command Action	StringProx	Command actions embedded into Linux sample file. Example: /usr/bin/pusjcgkdgq gnome-terminal 739
sample.tasks.elf_file_activity	Linux File Activity	StringProx	Files that showed activity as a result of the sample being executed in the WildFire analysis environment. Artifacts listed for each file activity include the parent process that showed activity, the action the parent process performed, and the file that was altered (created, modified, duplicated, or deleted). Example: unlink , /usr/bin/pusjcgkdgq
sample.tasks.elf_suspicious_action	Linux Suspicious Action	StringProx	An action that the Linux file performed with it was executed in the WildFire analysis environment. Example: Sample accesses network information or configuration , /proc/net/tcp

Analysis Artifacts

Windows Artifacts