Artifacts¶
Artifacts are structured IOC records that Stentor automatically creates whenever a beacon executes a task. Each artifact captures what happened (process creation, file operation, registry modification, network connection), which MITRE ATT&CK technique was used, and which beacon produced it. Artifacts power the ATT&CK Navigator export, IOC reports, and engagement timeline.
How Artifacts Are Collected¶
The ArtifactRecorder runs in the task result pipeline and produces artifact records from two sources:
- Implant-reported artifacts (
source: "implant") -- The implant explicitly reports artifacts in its task result payload, including type, path, value, and optional technique ID. - Auto-inferred artifacts (
source: "auto") -- When the implant does not report explicit artifacts, the recorder infers them from the task type using the built-in MITRE ATT&CK mapping table.
Artifact recording is non-blocking -- it runs in a background goroutine and batch-inserts records for performance. Failures are logged but never block the task result pipeline.
sequenceDiagram
participant Implant
participant Relay
participant Backend
participant ArtifactRecorder
participant Database
Implant->>Relay: Task result (with optional artifacts)
Relay->>Backend: Forward result via WebSocket
Backend->>Backend: Process task result
Backend->>ArtifactRecorder: RecordFromResult(beaconID, taskID, taskType, result)
alt Implant reported artifacts
ArtifactRecorder->>ArtifactRecorder: Use explicit artifacts (source="implant")
else No explicit artifacts
ArtifactRecorder->>ArtifactRecorder: Infer from task type (source="auto")
end
ArtifactRecorder->>Database: Batch INSERT c2_artifactsArtifact Object¶
| Field | Type | Description |
|---|---|---|
id | UUID | Unique artifact identifier |
beacon_id | UUID | Beacon that produced the artifact |
task_id | UUID | Task that triggered the artifact (optional) |
artifact_type | string | Category: process, file, registry, network, event_log, service |
path | string | File path, registry key, process name, or network address |
value | string | Associated value (registry value, file hash, etc.) |
technique_id | string | MITRE ATT&CK technique ID (e.g., T1055.003) |
tactic | string | MITRE ATT&CK tactic (e.g., defense-evasion) |
description | string | Human-readable description of the artifact |
source | string | implant (explicit) or auto (inferred) |
created_at | timestamp | When the artifact was recorded |
Artifact Types¶
| Type | Description | Example |
|---|---|---|
process | Process creation or injection | cmd.exe, powershell.exe |
file | File system operations | Upload/download paths, dropped files |
registry | Registry key modifications | Persistence keys, service entries |
network | Network connections | Port scans, lateral movement, tunnels |
event_log | Windows Event Log entries | Security log indicators |
service | Windows service operations | Service creation, modification |
Automatic MITRE Mapping¶
When no explicit artifacts are reported by the implant, the recorder maps task types to MITRE ATT&CK techniques automatically:
| Task Type | Artifact Type | MITRE Technique |
|---|---|---|
exec, shell | process | T1059.003 (Command Shell) |
powershell, powershell_import, powerpick | process | T1059.001 (PowerShell) |
inject, fork_run | process | T1055 (Process Injection) |
persist | registry | T1547.001 (Registry Run Keys) |
creds, STEAL_TOKEN, MAKE_TOKEN | credential | Credential Access techniques |
file_upload | file | File transfer operations |
file_download | file | File transfer operations |
PORTSCAN | network | T1046 (Port Scan) |
lateral | network | Lateral Movement techniques |
socks, rportfwd | network | Tunneling/proxy techniques |
Unmapped Task Types
Task types without a MITRE mapping are silently skipped -- no artifact is recorded. This keeps the artifact table focused on security-relevant IOCs.
Querying Artifacts¶
All artifact endpoints are under /api/v1/artifacts and support pagination via limit and offset query parameters.
Pagination Parameters¶
| Parameter | Type | Default | Max | Description |
|---|---|---|---|---|
limit | int | 50 | 500 | Results per page |
offset | int | 0 | -- | Pagination offset |
List All Artifacts¶
curl -s "https://stentor.app/api/v1/artifacts?limit=50&offset=0" \
-H "Authorization: Bearer $TOKEN" | jq
Response:
{
"artifacts": [
{
"id": "artifact-uuid",
"beacon_id": "beacon-uuid",
"task_id": "task-uuid",
"artifact_type": "process",
"path": "cmd.exe",
"value": "",
"technique_id": "T1059.003",
"tactic": "execution",
"description": "Process created: cmd.exe (command shell)",
"source": "auto",
"created_at": "2026-02-21T14:30:00Z"
}
],
"total": 1247
}
Filter by Beacon¶
curl -s "https://stentor.app/api/v1/artifacts/by-beacon/$BEACON_ID?limit=100" \
-H "Authorization: Bearer $TOKEN" | jq
Filter by Task¶
Returns all artifacts for a specific task (no pagination -- returns the full set).
curl -s "https://stentor.app/api/v1/artifacts/by-task/$TASK_ID" \
-H "Authorization: Bearer $TOKEN" | jq
Filter by Type¶
Valid types: process, file, registry, network, event_log, service.
Filter by MITRE Technique¶
curl -s "https://stentor.app/api/v1/artifacts/by-technique/T1059.001?limit=50" \
-H "Authorization: Bearer $TOKEN" | jq
Filter by Time Range¶
| Parameter | Type | Required | Description |
|---|---|---|---|
start | RFC3339 | Yes | Range start time |
end | RFC3339 | No | Range end time (defaults to now) |
curl -s "https://stentor.app/api/v1/artifacts/by-time?start=2026-02-20T00:00:00Z&end=2026-02-21T23:59:59Z&limit=100" \
-H "Authorization: Bearer $TOKEN" | jq
Technique Summary¶
Aggregated technique usage data across all artifacts, grouped by technique ID and tactic.
Response¶
{
"techniques": [
{
"technique_id": "T1059.001",
"tactic": "execution",
"count": 47,
"first_seen": "2026-02-19T08:12:00Z",
"last_seen": "2026-02-21T16:45:00Z"
},
{
"technique_id": "T1055.003",
"tactic": "defense-evasion",
"count": 12,
"first_seen": "2026-02-19T10:30:00Z",
"last_seen": "2026-02-21T14:00:00Z"
}
]
}
This endpoint feeds the ATT&CK Navigator layer export and the technique breakdown in the IOC report.
ATT&CK Navigator Layer Export¶
Export your engagement's technique coverage as an ATT&CK Navigator v4.5 layer JSON file. The layer uses color interpolation (white to red) based on usage frequency.
Standard Layer¶
| Parameter | Type | Default | Description |
|---|---|---|---|
name | string | Stentor Engagement - YYYY-MM-DD | Custom layer name |
preview | bool | false | When true, omits Content-Disposition header (for in-browser preview) |
Per-Operation Layer¶
A second export mode colors techniques by which host/beacon used them, making it easy to visualize operational coverage across the engagement. Each host gets a distinct color, and a legend maps hostnames to colors.
| Parameter | Type | Default | Description |
|---|---|---|---|
name | string | Stentor Operation - YYYY-MM-DD | Custom layer name |
preview | bool | false | Omit download header for in-browser preview |
curl -s "https://stentor.app/api/v1/artifacts/navigator-layer/by-operation" \
-H "Authorization: Bearer $TOKEN" \
-o navigator-layer-operation.json
Color Schemes¶
Color interpolation from white (#ffffff) to red (#ff6666) based on count / maxCount:
| Usage | Color | Meaning |
|---|---|---|
| 0 | White | Not observed |
| Low | Light pink | Occasional use |
| High | Dark red | Frequent use |
Each host is assigned a distinct color from the palette:
| Index | Color | Hex |
|---|---|---|
| 0 | Red | #ff6666 |
| 1 | Blue | #66b3ff |
| 2 | Green | #99ff99 |
| 3 | Orange | #ffcc66 |
| 4 | Pink | #ff99cc |
| 5+ | Cycles through 10 colors | ... |
Using with ATT&CK Navigator¶
- Download the layer JSON from either endpoint
- Open ATT&CK Navigator
- Click Open Existing Layer and upload the JSON file
- The heatmap renders your engagement's technique coverage
See MITRE ATT&CK Integration for the full knowledge base documentation.
IOC Report¶
Generate a structured Indicators of Compromise report from all recorded artifacts. The report groups artifacts by host and includes a technique breakdown section -- ideal for defender handoff after an engagement.
| Parameter | Type | Default | Description |
|---|---|---|---|
format | string | json | Export format: json, pdf, or html |
IOC Report Structure¶
{
"generated_at": "2026-02-21T15:00:00Z",
"total_artifacts": 523,
"hosts": [
{
"hostname": "DC01",
"ip": "10.10.10.10",
"artifacts": [
{
"type": "process",
"path": "powershell.exe",
"value": "",
"technique_id": "T1059.001",
"tactic": "execution",
"description": "Process created: powershell.exe",
"source": "auto",
"created_at": "2026-02-20T09:15:00Z"
}
]
}
],
"technique_breakdown": [
{
"technique_id": "T1059.001",
"technique_name": "PowerShell",
"tactic": "execution",
"artifact_count": 47,
"hosts": ["DC01", "WS01", "WS02"]
}
]
}
| Section | Description |
|---|---|
hosts | Artifacts grouped by target hostname and IP address |
technique_breakdown | Aggregated technique usage with affected host lists |
total_artifacts | Total artifact count across all hosts |
File Hash Detection
For file-type artifacts, if the value field contains a 64-character hex string, the IOC report automatically populates the hash field with the SHA256 hash for easy IOC sharing.
Engagement Timeline¶
A chronological view of all artifacts joined with beacon metadata, supporting multi-dimensional filtering. The timeline is ordered oldest-first (ascending) and is designed for engagement reconstruction and post-operation analysis.
Filter Parameters¶
| Parameter | Type | Required | Description |
|---|---|---|---|
host | string | No | Filter by beacon hostname (exact match) |
operator | string | No | Filter by beacon username (exact match) |
technique | string | No | Filter by MITRE technique ID |
start | RFC3339 | No | Date range start |
end | RFC3339 | No | Date range end |
limit | int | No | Max entries (default 200, max 5000) |
offset | int | No | Pagination offset |
format | string | No | Output format: json (default), pdf, or html |
Timeline Response¶
{
"timeline": {
"generated_at": "2026-02-21T15:30:00Z",
"total_entries": 834,
"filters": {
"hostname": "DC01",
"technique_id": "T1059.001"
},
"entries": [
{
"timestamp": "2026-02-19T08:12:00Z",
"beacon_id": "beacon-uuid",
"hostname": "DC01",
"username": "CORP\\jdoe",
"ip": "10.10.10.10",
"artifact_type": "process",
"path": "powershell.exe",
"value": "",
"technique_id": "T1059.001",
"tactic": "execution",
"description": "Process created: powershell.exe",
"source": "auto"
}
]
}
}
Export Limits
When exporting as PDF or HTML, the limit is automatically raised to 5000 entries to capture the full engagement timeline. JSON responses respect the caller-provided limit.
API Reference¶
| Method | Endpoint | Description |
|---|---|---|
GET | /api/v1/artifacts | List all artifacts (paginated) |
GET | /api/v1/artifacts/by-beacon/:beaconId | Artifacts for a specific beacon |
GET | /api/v1/artifacts/by-task/:taskId | Artifacts for a specific task |
GET | /api/v1/artifacts/by-type/:type | Artifacts filtered by type |
GET | /api/v1/artifacts/by-technique/:techniqueId | Artifacts filtered by MITRE technique |
GET | /api/v1/artifacts/by-time | Artifacts within a time range |
GET | /api/v1/artifacts/summary | Aggregated technique summary |
GET | /api/v1/artifacts/navigator-layer | ATT&CK Navigator layer export |
GET | /api/v1/artifacts/navigator-layer/by-operation | Per-operation Navigator layer |
GET | /api/v1/artifacts/ioc-report | IOC report (JSON, PDF, HTML) |
GET | /api/v1/artifacts/timeline | Engagement timeline (JSON, PDF, HTML) |
See Also¶
- MITRE ATT&CK Integration -- Knowledge base, CNA scripting functions, and technique lookup
- Campaign Reports -- Campaign-scoped reports in 6 formats
- C2 Campaigns -- Campaign management and beacon association
- Audit Log -- Operator action audit trail