From cdaa5ef3a641bda080b22671a0097e9b6fd9d649 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:13:22 -0300 Subject: [PATCH] Update av_relevant_files.yml --- rules/windows/malware/av_relevant_files.yml | 54 +++++++++++---------- 1 file changed, 28 insertions(+), 26 deletions(-) diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index 747bd494a..f36bbe501 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -10,32 +10,34 @@ logsource: product: antivirus detection: selection: - FileName: - - 'C:\Windows\Temp\\*' - - 'C:\Temp\\*' - - '*\\Client\\*' - - 'C:\PerfLogs\\*' - - 'C:\Users\Public\\*' - - 'C:\Users\Default\\*' - - '*.ps1' - - '*.vbs' - - '*.bat' - - '*.chm' - - '*.xml' - - '*.txt' - - '*.jsp' - - '*.jspx' - - '*.asp' - - '*.aspx' - - '*.php' - - '*.war' - - '*.hta' - - '*.lnk' - - '*.scf' - - '*.sct' - - '*.vbe' - - '*.wsf' - - '*.wsh' + FileName|startswith: + - 'C:\Windows\Temp\\' + - 'C:\Temp\\' + - 'C:\PerfLogs\\' + - 'C:\Users\Public\\' + - 'C:\Users\Default\\' + Filename|contains: + - '\\Client\\' + Filename|endswith: + - '.ps1' + - '.vbs' + - '.bat' + - '.chm' + - '.xml' + - '.txt' + - '.jsp' + - '.jspx' + - '.asp' + - '.aspx' + - '.php' + - '.war' + - '.hta' + - '.lnk' + - '.scf' + - '.sct' + - '.vbe' + - '.wsf' + - '.wsh' condition: selection fields: - Signature