Changeset 1517
- Timestamp:
- 04/14/08 08:44:32 (1 month ago)
- Files:
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
honeyclient/trunk/thirdparty/capture-mod/FileMonitor.exl
r1515 r1517 51 51 + Write C:\\WINDOWS\\system32\\services\.exe C:\\WINDOWS\\system32\\config\\SecEvent\.Evt 52 52 #Mapping 53 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\wbem \\.+53 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\wbem.* 54 54 #Cataloging 55 55 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\CatRoot2\\.+ … … 153 153 #- Write .* .+\.wsh 154 154 #commented out for IE because \.com cache files and \.vb script files are very common 155 - Write .* .+\.vb155 #- Write .* .+\.vb 156 156 #- Write .* .+\.com 157 157 #commented out for IE because .exe downloads to the cache dir are very common … … 276 276 + Write C:\\WINDOWS\\system32\\WgaTray\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History.IE5.* 277 277 + Delete C:\\WINDOWS\\system32\\WgaTray\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History.IE5.* 278 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\cygwin \\.*278 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\cygwin.* 279 279 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Desktop 280 280 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\Administrator\\Desktop\\%USERPROFILE%\\Local Settings\\Application Data\\Microsoft\\Feeds Cache … … 308 308 #### HONEYCLIENT AUTO EXCLUDE SCRIPT 309 309 + Write C:\\WINDOWS\\system32\\lsass\.exe C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\Protect\\.* 310 311 312 ###Stuff that got accidentally removed in r 1511 313 314 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\Temp\\WGANotify\.settings 315 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\system32\\config 316 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Application Data\\.+ 317 + Delete C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Application Data\\.+ 318 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\.+\\Application Data\\Microsoft\\CryptnetUrlCache.* 319 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\Documents and Settings\\All Users 320 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution\\Download 321 + Write C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution\\Download.* 322 + Delete C:\\WINDOWS\\system32\\svchost\.exe C:\\WINDOWS\\SoftwareDistribution\\Download.*
