Navigation

← Previous Changeset
Next Changeset →

Changeset 1515

Timestamp:

04/11/08 11:18:31 (1 month ago)

Author:

xkovah

Message:

interesting thing with the language bar getting turned on after I did updates…since it happened by itself, it is reasonable to assume it could happen to others, thus I have added the relevant events for the first couple minutes of run time, and will now re-run to see what else comes up

Files:

honeyclient/trunk/thirdparty/capture-mod/FileMonitor.exl (modified) (1 diff)
honeyclient/trunk/thirdparty/capture-mod/ProcessMonitor.exl (modified) (2 diffs)
honeyclient/trunk/thirdparty/capture-mod/RegistryMonitor.exl (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

honeyclient/trunk/thirdparty/capture-mod/FileMonitor.exl

r1513	r1515
305	305	#No guarantees that the % will be interpreted literally by the regex processing...but this is what it spit out
306	306	+ Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Desktop\\%USERPROFILE%\\UserData\\index\.dat
	307
	308	#### HONEYCLIENT AUTO EXCLUDE SCRIPT
	309	+ Write C:\\WINDOWS\\system32\\lsass\.exe C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\Protect\\.*

honeyclient/trunk/thirdparty/capture-mod/ProcessMonitor.exl

r1390	r1515
23	23	### Honeyclient added/specific? ###
24	24	###################################################
25		#FIXME: Xeno - ~~Does specifying a parent process even work? I tried~~
	25	#FIXME: Xeno - specifying a parent process doesn't work - this is a known bug
26	26	+ bash.exe .* C:\\cygwin\\bin\\bash\.exe
27	27	+ perl.exe .* C:\\cygwin\\bin\\perl\.exe
…	…
41	41	#### HONEYCLIENT AUTO EXCLUDE SCRIPT - Internet Explorer 7 Updates
42	42	+ verclsid.exe .* C:\\WINDOWS\\system32\\verclsid.exe
	43	#### HONEYCLIENT AUTO EXCLUDE SCRIPT
	44	#This is related to the language bar...I just installed updates, and it was newly activated
	45	#thus I consider it something valid to add
	46	+ ctfmon.exe .* C:\\WINDOWS\\system32\\ctfmon.exe

honeyclient/trunk/thirdparty/capture-mod/RegistryMonitor.exl

r1514	r1515
363	363	#### HONEYCLIENT AUTO EXCLUDE SCRIPT
364	364	+ SetValueKey C:\\Program Files\\Internet Explorer\\IEXPLORE\.EXE HKCU\\Software\\Microsoft\\Internet Explorer\\International
	365
	366	#### HONEYCLIENT AUTO EXCLUDE SCRIPT
	367	#After installing updates, the language bar was newly activated, these are related to that, and thus seem reasonable to add
	368	+ SetValueKey C:\\WINDOWS\\system32\\ctfmon\.exe HKCU\\Software\\Microsoft\\CTF\\Sapilayr
	369	+ DeleteValueKey C:\\WINDOWS\\system32\\ctfmon\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
	370	+ SetValueKey C:\\WINDOWS\\system32\\ctfmon\.exe HKCU\\Software\\Microsoft\\CTF\\TIP\\.+\\LanguageProfile\\.*
	371	+ SetValueKey C:\\WINDOWS\\system32\\ctfmon\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
	372	+ SetValueKey C:\\WINDOWS\\system32\\ctfmon\.exe HKCU\\Software\\Microsoft\\CTF\\LangBar
	373
	374	+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\SearchScopes\\.*
	375	+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\Extensions\\CmdMapping
	376	+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\SearchUrl
	377	+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\IEXPLORE\.EXE\\DefaultIcon
	378	+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar\\WebBrowser
	379	+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\7\.0
	380	+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached
	381	+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\SearchScopes
	382	+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components
	383	+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing\\.+\\Smart Screen DAT file
	384	+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks
	385
	386	+ SetValueKey C:\\WINDOWS\\explorer\.exe HKCU\\Software\\Microsoft\\CTF\\LangBar
	387
	388	#NOTE: looks like a liketely bug value (translation not getting done)
	389	+ DeleteValueKey C:\\WINDOWS\\system32\\wbem\\wmiprvse\.exe \\REGIS