DocsRelease Notes

Container Task Output Reference

Suggest Edits

Overview

Each container task type provides its own unique set of capabilities so the output they generate will vary widely from one container task type to the next. For example, the Metasploit Framework uses "sessions" nomenclature to refer to connections to victim machines whereas PowerShell Empire refers to connections with victim machines as "agents." Where output logs are concerned, original field names produced by the embedded attack tools are retained but where possible, field data that can be mapped back to a standard schema, will be. When developing custom container tasks, care should be taken to ensure that the log output adheres to the common log format designated below.

Common Log Format

The field set below represents the common fields that will be populated (whenever possible) from data generated by the container tasks' embedded attack tools.

  • agent_name - a name or ID associated with a command and control agent or reverse shell running on a victim machine.

    Note that this field is similar to the session_id field and typically only one of the two fields is present.

  • callback_ip - the callback IP address that a command and control agent or reverse shell connects to for receiving command and control instructions.
  • callback_hostname - the callback hostname that a command and control agent or reverse shell connects to for receiving command and control instructions.
  • callback_port - the callback port number that a command and control agent or reverse shell connects to for receiving command and control instructions.
  • exfil_hostname - can contain a hostname that is used in the exfil action.
  • exfil_ip - can contain an IP address that is used in the exfil action.
  • exfil_port - can contain a port number that is used in the exfil action.
  • exfil_uri - can contain a URI that is used in the exfil action.
  • exfil_filename - the name of the file that is created as a result of the exfil action.
  • ip_protocol - can be used to indicate the IP protocol type (e.g. TCP, UDP, ICMP, etc.) associated with any container task activity such as the IP protocol used in a scan of a target machine or the IP protocol used for a data exfiltration action.
  • job_id - an ID associated with a running/staged exploit in the case of Metasploit but other container tasks could use this field to represent an instruction request or scan job.
  • session_id - a name or ID associated with a command and control agent or reverse shell running on a victim machine.

    Note that this field is similar to the agent_name field and typically only one of the two fields is present.

  • status - this field can be used to indicate the status of a host (e.g. up/down) or the status of a command and control agent or reverse shell (e.g. active/inactive).
  • target_hostnames - a list of hostnames associated with the victim machine.

    Note that this field will only be populated if an embedded attack tool's output explicitly provides hostname information.

  • target_file - may contain a file name associated with a victim machine either as a discovery/recon task, an exfiltration action or an execution command.
  • target_file_path - may contain a file path associated with a victim machine either as a discovery/recon task, an exfiltration action or an execution command.
  • target_http_request_headers - a dictionary containing the HTTP headers associated with an HTTP request.
  • target_http_request_host - the HTTP host portion of an HTTP URI used in an HTTP request.
  • target_http_request_method - the request method used in an HTTP request.
  • target_http_request_path - the HTTP path portion of an HTTP URI used in an HTTP request.
  • target_http_request_payload - the payload data associated with an HTTP request.
  • target_http_request_uri - the full HTTP request URI.
  • target_http_response_payload - the HTTP response payload that results from an HTTP request.
  • target_http_response_headers - the HTTP headers associated with an HTTP response.
  • target_internal_ip - the internal IP address of the victim machine.
  • target_ip - the IP address of the victim machine.
  • target_port - the port number associated with an action such as a scan or exploit.
  • target_port_application - the application found to be associated with a target_port.
  • target_port_application_version - the application version found to be associated with a target_port_application.
  • target_port_extrainfo - any additional information available for a target_port
  • target_port_name - the name found to be associated with a target_port.
  • target_port_state - the state (e.g. open, closed, filtered, etc.) found for a target_port.
  • target_port_state_reason - the reason a particular state was determined for a target_port.
  • target_scripts_output - any additional output associated with a script executed against a target.
  • target_share_name - a name of a share associated with a particular discovery/recon task, exfiltration action or execution command.
  • target_vendor - any vendor output associated with a victim machine or application.

Updated 7 months ago