The following table provides field names and related
information for Linux artifacts.
Field Name
Artifact Type as
it Appears on AutoFocus Web Portal
Field Type
Acceptable Values and
Examples
sample.tasks.elf_suspicious_behavior
Linux Suspicious Behavior
StringProx
Suspicious behavior from an Linux file based
on static analysis.
Example:
sample contains hard-coded malicious IP address
sample.tasks.elf_functions
Linux Functions
StringProx
Function contained in the Linux
file.
Example:
__libc_sigaction
sample.tasks.elf_commands
Linux Commands
StringProx
Command contained in the Linux
file.
Example:
rm -rf /var/log/wtmp
sample.tasks.elf_file_paths
Linux File Paths
StringProx
File path contained in an Linux
file.
Example:
/var/run
sample.tasks.elf_ip_address
Linux IP Address
StringProx
An IP address detected during
Linux sample analysis.
sample.tasks.elf_domains
Linux Domains
StringProx
Domain detected during Linux
sample analysis.
Example:
run.work.
sample.tasks.elf_url
Linux URLs
StringProx
URL detected during Linux sample
analysis.
Example:
http://208.67.1.59/bins.sh.
sample.tasks.elf_command_action
Linux Command Action
StringProx
Command actions embedded into Linux sample
file.
Example:
/usr/bin/pusjcgkdgq gnome-terminal 739
sample.tasks.elf_file_activity
Linux File Activity
StringProx
Files that showed activity as a result of the
sample being executed in the WildFire analysis environment. Artifacts listed
for each file activity include the parent process that showed activity,
the action the parent process performed, and the file that was altered
(created, modified, duplicated, or deleted).
Example:
unlink , /usr/bin/pusjcgkdgq
sample.tasks.elf_suspicious_action
Linux Suspicious Action
StringProx
An action that the Linux file performed with
it was executed in the WildFire analysis environment.
Example:
Sample accesses network information or configuration , /proc/net/tcp
