NextronSystems · secDre4mer · Nov 25, 2025 · Nov 20, 2025 · Nov 25, 2025
diff --git a/thorlog/v3/atjob.go b/thorlog/v3/atjob.go
@@ -7,12 +7,7 @@ import (
 type AtJob struct {
 	jsonlog.ObjectHeader
 
-	Command   string `json:"command" textlog:"command"`
-	Start     string `json:"start" textlog:"start"`
-	User      string `json:"user" textlog:"user"`
-	RunLevel  string `json:"run_level" textlog:"runlevel"`
-	LogonType string `json:"logon_type" textlog:"logontype"`
-	Image     *File  `json:"image" textlog:"image,expand"`
+	Command string `json:"command" textlog:"command"`
 }
 
 const typeAtJob = "at job"

diff --git a/thorlog/v3/ebpf.go b/thorlog/v3/ebpf.go
@@ -7,6 +7,10 @@ import (
 // EBPFProgram describes an eBPF program attached to a specific endpoint in the kernel.
 //
 // To use eBPF nomenclature: This struct describes an eBPF link and its corresponding program.
+// The exposed information by the kernel about links can be found at
+// https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/bpf.h?h=v6.17#n6680,
+// and program information at
+// https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/bpf.h?h=v6.17#n6610.
 //
 // eBPF programs can be attached to a wide range of things; the LinkType contains what sort of object
 // the program is attached to, and AttachTarget contains what specific object it is attached to.

diff --git a/thorlog/v3/scheduledtask.go b/thorlog/v3/scheduledtask.go
@@ -6,13 +6,45 @@ import (
 	"github.com/NextronSystems/jsonlog"
 )
 
+// ScheduledTask describes a Windows Scheduled Task.
+//
+// See also the Microsoft documentation at https://learn.microsoft.com/en-us/windows/win32/taskschd/task-scheduler-reference
+// for more details about scheduled tasks.
 type ScheduledTask struct {
 	LogObjectHeader
 
-	Name    string    `json:"name" textlog:"name"`
-	Path    string    `json:"path" textlog:"path"`
-	Command string    `json:"command" textlog:"command"`
-	Enabled bool      `json:"enabled" textlog:"enabled"`
+	// Name of the scheduled task.
+	Name string `json:"name" textlog:"name"`
+	// Path (within C:\Windows\System32\tasks) of this scheduled task.
+	Path string `json:"path" textlog:"path"`
+
+	// Commands executed when this scheduled task activates. Commands each include both image and arguments.
+	Commands StringList `json:"commands" textlog:"command,omitempty"`
+	// COM Handlers (as GUIDs) invoked when this scheduled task activates.
+	ComHandlers StringList `json:"com_handlers,omitempty" textlog:"com_handler,expand,omitempty"`
+
+	// Whether the scheduled task is active.
+	Enabled bool `json:"enabled" textlog:"enabled"`
+	// The trigger types when the task should be executed.
+	// Options:
+	// - Time (at a fixed time)
+	// - Calendar (regularly based on calendar)
+	// - Boot
+	// - Logon
+	// - Event (when specific events occur in the Windows Eventlog)
+	// - Registration (only when the task was initially created)
+	// - SessionStateChange (configurable on e.g. remote connection, session unlock, ...)
+	Triggers StringList `json:"triggers,omitempty" textlog:"triggers,omitempty"`
+
+	// The user (or SID) as which the scheduled task will run.
+	User string `json:"user" textlog:"user"`
+	// Logon type, options: S4U, Password, InteractiveToken
+	LogonType string `json:"logon_type" textlog:"logon_type"`
+	// Run level, options: LeastPrivilege or HighestAvailable
+	RunLevel string `json:"run_level" textlog:"run_level"`
+	// Privileges wanted by this scheduled task.
+	Privileges StringList `json:"privileges,omitempty" textlog:"privileges,omitempty"`
+
 	LastRun time.Time `json:"last_run,omitzero" textlog:"lastrun,omitempty"`
 	NextRun time.Time `json:"next_run,omitzero" textlog:"nextrun,omitempty"`
 }