Description
The current tool suite has list_processes (via tasklist) but no process tree analysis. Security triage frequently needs to identify suspicious parent-child relationships (e.g., cmd.exe spawned by svchost.exe, powershell.exe spawned by excel.exe).
Without tree context, the agent can list processes but cannot correlate them into attack chains.
Proposal
Add a process_tree tool that:
- On Windows: uses
wmic process get Name,ProcessId,ParentProcessId or Get-CimInstance Win32_Process
- On Linux: uses
ps auxf or pstree
- Returns parent-child relationships in structured format
- Optionally highlights known suspicious parent-child pairs (MITRE T1059, T1055)
Affected Files
cyber_tools/src/lib.rs (new tool)core_engine/src/lib.rs (tool registry)
Description
The current tool suite has
list_processes(viatasklist) but no process tree analysis. Security triage frequently needs to identify suspicious parent-child relationships (e.g.,cmd.exespawned bysvchost.exe,powershell.exespawned byexcel.exe).Without tree context, the agent can list processes but cannot correlate them into attack chains.
Proposal
Add a
process_treetool that:wmic process get Name,ProcessId,ParentProcessIdorGet-CimInstance Win32_Processps auxforpstreeAffected Files
cyber_tools/src/lib.rs(new tool)core_engine/src/lib.rs(tool registry)