FileMonitor.exl

Revision 1248, 10.7 kB (checked in by xkovah, 11 months ago)
updating the exclusion lists

Line
1	#[+,-] [File Access] [Process Name] [File Path]
2	###################################################
3	### Clean Windows XP SP 2 System ###
4	###################################################
5	+ Read .* .*
6	+ Create .* .*
7	+ Open .* .*
8	+ Write C:\\program Files\\capture\\captureclient\.exe C:\\program files\\capture\\logs\\.+
9	+ Delete C:\\program Files\\capture\\captureclient\.exe C:\\program files\\capture\\.+\.zip
10	#Prefetch
11	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\Prefetch\\.+
12	+ Write System C:\\WINDOWS\\Prefetch\\.+
13	#NTFS Metadata
14	+ Write .* c:\\\$mft
15	+ Write .* c:\\\$mftmirr
16	+ Write .* c:\\\$logfile
17	+ Write .* c:\\\$volume
18	+ Write .* c:\\\$directory
19	+ Write .* c:\\\$AttrDef
20	+ Write .* c:\\\$boot
21	+ Write .* c:\\\$bitmap
22	+ Write .* c:\\\$badclus
23	+ Write .* c:\\\$quota
24	+ Write .* c:\\\$upcase
25	+ Write .* c:\\\$ReplaceAttribute2
26	+ Write .* c:\\\$converttononresident
27	#Performance
28	+ Write C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe C:\\WINDOWS\\system32\\wbem\\Performance\\.+
29	+ Write C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe C:\\WINDOWS\\system32\\Perf.*
30	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\Prefetch\\.+
31	+ Write System C:\\WINDOWS\\Prefetch\\.+
32	#System Log Files
33	+ Write System C:\\Documents and Settings\\.+\\.+\.LOG
34	+ Write System C:\\WINDOWS\\system32\\config\\.+\.LOG
35	+ Write System C:\\WINDOWS\\Debug\\UserMode\\userenv\.log
36	+ Write System C:\\WINDOWS\\SoftwareDistribution\\ReportingEvents\.log
37	+ Write C:\\WINDOWS\\system32\\winlogon\.exe C:\\WINDOWS\\Debug\\UserMode\\userenv\.log
38	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\.+\.log
39	+ Write C:\\WINDOWS\\system32\\lsass\.exe C:\\WINDOWS\\system32\\config\\.+\.LOG
40	+ Write C:\\WINDOWS\\system32\\lsass\.exe C:\\WINDOWS\\system32\\config\\SAM
41	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\system32\\wbem\\Logs\\wmiprov\.log
42	#Windows update
43	+ Write C:\\WINDOWS\\system32\\wuauclt\.exe C:\\WINDOWS\\WindowsUpdate\.log
44	+ Write C:\\WINDOWS\\system32\\wuauclt\.exe C:\\WINDOWS\\SoftwareDistribution\\DataStore\\Logs\\.+
45	+ Write C:\\WINDOWS\\system32\\wuauclt\.exe C:\\WINDOWS\\SoftwareDistribution\\DataStore\\DataStore\.edb
46	+ Write C:\\WINDOWS\\system32\\wuauclt\.exe C:\\WINDOWS\\SoftwareDistribution\\DataStore\\DataStore\.edb
47	#System Events
48	+ Write C:\\WINDOWS\\system32\\services\.exe C:\\WINDOWS\\system32\\config\\AppEvent\.Evt
49	+ Write C:\\WINDOWS\\system32\\services\.exe C:\\WINDOWS\\system32\\config\\SysEvent\.Evt
50	+ Write C:\\WINDOWS\\system32\\services\.exe C:\\WINDOWS\\system32\\config\\SecEvent\.Evt
51	#Mapping
52	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\wbem\\.+
53	#Cataloging
54	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\CatRoot2\\.+
55	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\CatRoot\\.+
56	#System restore
57	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution\\WuRedir\\.+
58	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\System Volume Information\\_restore.*
59	#user data
60	+ Write System C:\\Documents and Settings\\.+\\Local Settings\\Application Data\\Microsoft\\Windows\\UsrClass\.dat
61	###################################################
62	### Internet Explorer 6.0 SP2 ###
63	###################################################
64	#somehow VMwareService & System accesses the same files when IE is browsing.
65	+ Write C:\\Program Files\\VMware\\VMware Tools\\VMwareService\.exe .*
66	+ Write System .*
67	# IE Temporary Files/Internet Cache.
68	+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\Temp\\.+
69	+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Local Settings\\Temporary Internet Files\\Content\.IE5\\.+
70	+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Local Settings\\Temp\\.+tmp
71	+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\Temp\\.+
72	+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Local Settings\\Temporary Internet Files\\Content\.IE5\\.+
73	+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Local Settings\\Temp\\.+tmp
74	# History
75	+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History.IE5\\.+
76	+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History.IE5\\.+
77	# IE Cookies
78	+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Cookies\\.+
79	+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Cookies\\index.dat
80	+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Cookies\\.+
81	+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Cookies\\index.dat
82	# User data
83	+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Application Data\\Microsoft\\CryptnetUrlCache
84	+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\UserData\\.+
85	+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Application Data\\Microsoft\\CryptnetUrlCache
86	+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\UserData\\.+
87	# Plug ins (like Flash player)
88	+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Application Data\\.+
89	+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\Application Data\\.+
90	# DRM related stuff
91	+ Write C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\DRM\\.+
92	+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\Documents and Settings\\.+\\DRM\\.+
93	# msg activeX
94	+ Write C:\\Program Files\\Messenger\\msmsgs\.exe C:\\Documents and Settings\\.+\\NTUSER.DAT.LOG
95	+ Delete C:\\Program Files\\Messenger\\msmsgs\.exe C:\\Documents and Settings\\.+\\NTUSER.DAT.LOG
96	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\$LogFile
97	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\$Directory
98	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\$Mft
99	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe F:\$LogFile
100
101	###################################################
102	### Honeyclient added/specific? ###
103	###################################################
104	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\system32\\wbem\\Logs\\FrameWork\.log
105	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe C:\\WINDOWS\\system32\\wpa\.dbl
106	+ Write C:\\WINDOWS\\system32\\WgaTray\.exe C:\\Documents and Settings\\All Users\\Application Data\\Windows Genuine Advantage\\data\\data\.dat
107	+ Write C:\\WINDOWS\\system32\\WgaTray\.exe C:\\WINDOWS\\Temp\\WGANotify\.settings
108	+ Write C:\\WINDOWS\\system32\\WgaTray\.exe C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\CryptnetUrlCache.*
109	+ Delete C:\\WINDOWS\\system32\\wuauclt\.exe C:\\WINDOWS\\SoftwareDistribution\\DataStore\\Logs\\tmp.*
110	#Firefox
111	+ Delete C:\\Program Files\\Mozilla Firefox\\firefox\.exe C:\\Documents and Settings\\Administrator\\Application Data\\Mozilla\\Firefox\\Profiles.*
112	+ Write C:\\Program Files\\Mozilla Firefox\\firefox\.exe C:\\Documents and Settings\\Administrator\\Application Data\\Mozilla\\Firefox\\Profiles.*
113	+ Delete C:\\Program Files\\Mozilla Firefox\\firefox\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Mozilla\\Firefox\\Profiles.*
114	+ Write C:\\Program Files\\Mozilla Firefox\\firefox\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Mozilla\\Firefox\\Profiles.*
115	+ Delete C:\\Program Files\\Mozilla Firefox\\firefox\.exe C:\\Documents and Settings\\Administrator\\Application Data\\Talkback\\MozillaOrg\Firefox2\\Win32.*
116	+ Write C:\\Program Files\\Mozilla Firefox\\firefox\.exe C:\\Documents and Settings\\Administrator\\Application Data\\Talkback\\MozillaOrg\Firefox2\\Win32.*
117	+ Delete C:\\Program Files\\Mozilla Firefox\\firefox\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Mozilla\\Firefox\\Mozilla Firefox.*
118	+ Write C:\\Program Files\\Mozilla Firefox\\firefox\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Mozilla\\Firefox\\Mozilla Firefox.*
119	+ Delete C:\\Program Files\\Mozilla Firefox\\firefox\.exe C:\\Documents and Settings\\Administrator\\Application Data\\Talkback\\MozillaOrg\\Firefox2\\Win32.*
120	+ Write C:\\Program Files\\Mozilla Firefox\\firefox\.exe C:\\Documents and Settings\\Administrator\\Application Data\\Talkback\\MozillaOrg\\Firefox2\\Win32.*
121
122
123	###################################################
124	### Minus List - General Malicious Activity ###
125	###################################################
126	# Alert about executables or scripts that are written to disk
127	- Write .* .+\.bat
128	- Write .* .+\.cmd
129	- Write .* .+\.exe
130	- Write .* .+\.inf
131	- Write .* .+\.lnk
132	- Write .* .+\.msi
133	- Write .* .+\.msp
134	- Write .* .+\.pif
135	- Write .* .+\.reg
136	- Write .* .+\.sct
137	- Write .* .+\.shs
138	- Write .* .+\.scr
139	- Write .* .+\.wsc
140	- Write .* .+\.wsf
141	- Write .* .+\.wsh
142	#commented out for IE because \.com cache files and \.vb script files are very common
143	#- Write .* .+\.vb
144	#- Write .* .+\.com
145	# Alert about modifications to startup locations
146	- Write .* C:\\Documents and Settings\\.+\\Start Menu\\Programs\\Startup.+
147	- Write .* C:\\WINDOWS\\win.ini
148	- Write .* C:\\WINDOWS\\Tasks\\.+
149	#### HONEYCLIENT AUTO EXCLUDE SCRIPT
150	+ Write C:\\cygwin\\bin\\perl\.exe C:\\cygwin\\tmp\\changes\.txt
151	+ Write C:\\Program Files\\Windows Media Player\\setup_wm\.exe C:\\WINDOWS\\wmsetup\.log
152	#### HONEYCLIENT AUTO EXCLUDE SCRIPT
153	+ Delete C:\\Program Files\\Internet Explorer\\iexplore\.exe C:\\WINDOWS\\system32\\Macromed\\Flash\\testUpdate\.txt
154	#### HONEYCLIENT AUTO EXCLUDE SCRIPT
155	+ Delete C:\\WINDOWS\\system32\\defrag\.exe C:\\.*\.tmp
156	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\$ReplaceAttribute
157	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\$ReplaceAttribute
158	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\\$LogFile
159	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\\$Directory
160	+ Write C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe E:\\$Mft
161	#### HONEYCLIENT manual
162	+ Write C:\\WINDOWS\\system32\\dwwin\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\.*
163
164	#### Honeyclient manual add - Windows managment interface
165	+ Delete C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe C:\\WINDOWS\\system32\\wbem\\Performance\\WmiApRpl\.ini
166	+ Delete C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe C:\\WINDOWS\\system32\\wbem\\Performance\\WmiApRpl\.h
167	+ Delete C:\\WINDOWS\\system32\\wbem\\wmiadap\.exe C:\\WINDOWS\\system32\\PerfStringBackup\.TMP

Note: See TracBrowser for help on using the browser.

Download in other formats:

Original Format