Tool Reference¶
WraithRun includes a local tool registry used by the agent during the deterministic investigation phase.
Case Workflow Artifacts¶
Case workflow output is generated by CLI flags rather than a dedicated tool invocation.
--case-id <CASE_ID>adds case metadata to the run report.--evidence-bundle-dir <PATH>writes bundle artifacts for audit/share workflows:report.jsonraw_observations.jsonSHA256SUMS
--evidence-bundle-archive <PATH>writes a deterministic single-file tar archive containing those same artifacts in fixed order.--verify-bundle <PATH>verifies bundle checksums from an evidence directory (or directSHA256SUMSpath) and exits non-zero on mismatches or missing files.
read_syslog¶
Purpose:
- Reads local log file tail lines in a bounded format.
Arguments:
path(string, optional): log path. Default:./agent.log.max_lines(integer, optional): number of lines, range 1-1000. Default behavior targets a bounded tail.
Output fields:
pathline_countlines
scan_network¶
Purpose:
- Lists active local listening sockets.
Arguments:
limit(integer, optional): max entries, range 1-512.
Output fields:
listener_countlisteners
hash_binary¶
Purpose:
- Computes SHA-256 hash for a local file.
Arguments:
path(string, required)
Output fields:
pathsha256
check_privilege_escalation_vectors¶
Purpose:
- Collects local privilege-surface indicators.
Arguments:
- none
Output fields:
indicator_countpotential_vectorssample
inspect_persistence_locations¶
Purpose:
- Inventories common persistence locations and highlights suspicious entries.
Arguments:
limit(integer, optional): max entries, range 1-512.baseline_entries(string array, optional): known-good persistence entry names for drift comparison.allowlist_terms(string array, optional): terms that suppress known-benign suspicious matches.
Output fields:
entry_countsuspicious_entry_countactionable_suspicious_countbaseline_new_countbaseline_new_entriesentries
audit_account_changes¶
Purpose:
- Captures privileged account state and highlights drift or unapproved memberships.
Arguments:
baseline_privileged_accounts(string array, optional): previous privileged-account snapshot.approved_privileged_accounts(string array, optional): approved privileged-account allowlist.
Output fields:
privileged_account_countnon_default_privileged_account_countnewly_privileged_account_countremoved_privileged_account_countunapproved_privileged_account_countprivileged_accountsevidence
correlate_process_network¶
Purpose:
- Correlates listening sockets with process ownership and scores exposure risk.
Arguments:
limit(integer, optional): max entries, range 1-512.baseline_exposed_bindings(string array, optional): known externally exposed listener bindings.expected_processes(string array, optional): approved process names for exposed listeners.
Output fields:
listener_countexternally_exposed_counthigh_risk_exposed_countunknown_exposed_process_countnew_exposed_binding_countnetwork_risk_scorenetwork_risk_levelrecords
enumerate_ssh_keys¶
Purpose:
- Enumerates SSH key material across user home directories. Cross-platform: scans Windows
%USERPROFILE%\.ssh,ProgramData\ssh, and other user profiles; on Linux/macOS scans/root/.sshand/home/*/.ssh.
Arguments:
- none
Output fields:
directories(array): per-directory summary including path,has_authorized_keys,private_key_count, andpublic_key_count.total_authorized_keys_files(integer)total_private_keys(integer)total_public_keys(integer)
capture_coverage_baseline¶
Purpose:
- Captures reusable baseline arrays for persistence, privileged accounts, and exposed process-network bindings.
Arguments:
persistence_limit(integer, optional): max persistence entries, range 1-512.listener_limit(integer, optional): max listener records, range 1-512.
Output fields:
baseline_versioncaptured_epoch_secondsbaseline_entries_countbaseline_privileged_account_countbaseline_exposed_binding_countpersistence.baseline_entriesaccounts.baseline_privileged_accountsaccounts.approved_privileged_accountsnetwork.baseline_exposed_bindingsnetwork.expected_processes