Changeset 1511
- Timestamp:
- 04/10/08 10:47:45 (1 month ago)
- Files:
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
honeyclient/trunk/thirdparty/capture-mod/FileMonitor.exl
r1510 r1511 51 51 + Write C:\\WINDOWS\\system32\\services\.exe C:\\WINDOWS\\system32\\config\\SecEvent\.Evt 52 52 #Mapping 53 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\wbem .*53 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\wbem\\.+ 54 54 #Cataloging 55 55 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\CatRoot2\\.+ … … 128 128 ################################################### 129 129 # Alert about executables or scripts that are written to disk 130 #XENO: I recommend commenting out all blacklist entries until this has some way to 131 #deal with the fact that these will always be written to the tmp file if you visit 132 #a link to one of these directly...If we could add whitelist entries back in AFTER 133 #these, pointing at the tmp file dir, signifying that we don't care as long as it 134 #is in that dir, but care about everything else, then this would be usable...but until 135 #then...not so much. 136 #I tested adding a + entry for the temp downloads file after the - entry. It seemed 137 #to work for .vb files, but not .exe files, which is what we care about much more. 130 138 #- Write .* .+\.bat 131 139 #- Write .* .+\.cmd 132 140 #commented out for VMwareService.exe, since it writes .inf files. 133 141 #- Write .* .+\.inf 134 - Write .* .+\.lnk135 - Write .* .+\.msi136 - Write .* .+\.msp137 - Write .* .+\.pif138 - Write .* .+\.reg139 - Write .* .+\.sct140 - Write .* .+\.shs142 #- Write .* .+\.lnk 143 #- Write .* .+\.msi 144 #- Write .* .+\.msp 145 #- Write .* .+\.pif 146 #- Write .* .+\.reg 147 #- Write .* .+\.sct 148 #- Write .* .+\.shs 141 149 #commented out for sites that download \.scr into the temp files folder. 142 150 #- Write .* .+\.scr 143 - Write .* .+\.wsc144 - Write .* .+\.wsf145 - Write .* .+\.wsh151 #- Write .* .+\.wsc 152 #- Write .* .+\.wsf 153 #- Write .* .+\.wsh 146 154 #commented out for IE because \.com cache files and \.vb script files are very common 147 #- Write .* .+\.vb155 - Write .* .+\.vb 148 156 #- Write .* .+\.com 149 #commented out for IE because \.exe downloads to the cache dir are very common 150 # TODO: This is a bug that needs to be resolved. 157 #commented out for IE because .exe downloads to the cache dir are very common 151 158 #- Write .* .+\.exe 152 159 # Alert about modifications to startup locations … … 261 268 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution\\DataStore\\Logs 262 269 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32 263 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\config264 270 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\repair 265 271 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution 266 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution\\Download267 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution\\Download.*268 + Delete C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution\\Download.*269 272 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Cookies 270 273 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Cookies\\index.dat … … 273 276 + Write C:\\WINDOWS\\system32\\WgaTray\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History.IE5.* 274 277 + Delete C:\\WINDOWS\\system32\\WgaTray\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History.IE5.* 275 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\cygwin .*278 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\cygwin\\.* 276 279 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Desktop 277 280 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Desktop\\%USERPROFILE%\\Local Settings\\Application Data\\Microsoft\\Feeds Cache … … 297 300 + Delete C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Cookies\\index.dat 298 301 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\WinSxS\\Policies\\.* 299 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\WinSxS300 302 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\ 301 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\Temp\\WGANotify\.settings302 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\config303 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Application Data\\.+304 + Delete C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Application Data\\.+305 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Application Data\\Microsoft\\CryptnetUrlCache.*306 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\All Users
