-
Notifications
You must be signed in to change notification settings - Fork 25
/
regex.txt
87 lines (87 loc) · 7.15 KB
/
regex.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
ALL WINDOWS_FILE ^(?:[abe-z]:) c:
ALL ALL s-1-5-[0-9]{1,2}(?:(?:-[0-9]{10}){3}-[0-9]{3,4})? <user>
ALL ALL [{]?[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}[}]? <guid>
ALL ALL c:\\users\\[^\\]*\\ c:\\users\\<user>\\
ALL ALL kb[0-9]{6,7} <knowledge base>
ALL WINDOWS_FILE c:\\_\d{6}_ [msi installer]
CUCKOO WINDOWS_FILE c:\\[a-z]{5,10}\\dll\\[a-z]{6}\.dll$ [cuckoo]
CUCKOO WINDOWS_FILE c:\\[a-z]{5,10}\\bin\\execsc\.[a-z]{3}$ [cuckoo]
ALL ALL c:\\users\\<user>\\appdata\\local\\microsoft\\windows\\wer\\reportqueue\\.*$ [windows error reporting report queue]
ALL WINDOWS_FILE ^(?:c\:\\\$recycle\.bin)($|\\) [recycle bin]$1
ALL WINDOWS_FILE ^(?:c\:\\python27)($|\\) [python]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\ \(x86\)\\internet\ explorer)($|\\) [internet explorer x86]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\\internet\ explorer)($|\\) [internet explorer]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\\microsoft\ office)($|\\) [microsoft office]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\\mcafee)($|\\) [mcafee]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\\adobe\ reader)($|\\) [adobe reader]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\\microsoft\ silverlight)($|\\) [silverlight]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\ \(x86\)\\java)($|\\) [java]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\ \(x86\)\\adobe)($|\\) [adobe]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\\adobe)($|\\) [adobe]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\\mozilla\ firefox)($|\\) [firefox]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\ \(x86\)\\google\\chrome)($|\\) [chrome]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\\google\\chrome)($|\\) [chrome]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\ \(x86\)\\microsoft\ office)($|\\) [office]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\ \(x86\)\\quicktime)($|\\) [quicktime]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\\quicktime)($|\\) [quicktime]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\\windows\ media\ player)($|\\) [windows media player]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\\common\ files)($|\\) [program files common]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files)($|\\) [program files]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\ \(x86\)\\common\ files)($|\\) [program files common x86]$1
ALL WINDOWS_FILE ^(?:c\:\\program\ files\ \(x86\))($|\\) [program files x86]$1
ALL WINDOWS_FILE ^(?:c\:\\programdata\\microsoft\\windows\\start\ menu\\programs\\startup)($|\\) [startup (common)]$1
ALL WINDOWS_FILE ^(?:c\:\\programdata\\microsoft\\windows\\start\ menu\\programs\\administrative\ tools)($|\\) [admin tools (common)]$1
ALL WINDOWS_FILE ^(?:c\:\\programdata\\microsoft\\windows\\start\ menu)($|\\) [start menu (common)]$1
ALL WINDOWS_FILE ^(?:c\:\\programdata\\microsoft\\windows\\templates)($|\\) [templates (common)]$1
ALL WINDOWS_FILE ^(?:c\:\\programdata)($|\\) [program data]$1
ALL WINDOWS_FILE ^(?:c\:\\perflogs)($|\\) [perf logs]$1
ALL WINDOWS_FILE ^(?:c\:\\recovery)($|\\) [recovery]$1
ALL WINDOWS_FILE ^(?:c\:\\testperms)($|\\) [test perms]$1
ALL WINDOWS_FILE ^(?:c\:\\temp)($|\\) [temp]$1
ALL WINDOWS_FILE ^(?:c\:\\tmp)($|\\) [temp]$1
ALL WINDOWS_FILE ^(?:c\:\\users\\public)($|\\) [public]$1
ALL WINDOWS_FILE ^(?:c\:\\users\\\<user\>\\appdata\\roaming\\microsoft\\windows\\cookies\\low)($|\\) [cookies (low)]$1
ALL WINDOWS_FILE ^(?:c\:\\users\\\<user\>\\appdata\\roaming\\microsoft\\windows\\cookies)($|\\) [cookies]$1
ALL WINDOWS_FILE ^(?:c\:\\users\\\<user\>\\appdata\\roaming\\microsoft\\windows\\start\ menu\\programs\\administrative\ tools)($|\\) [admin tools]$1
ALL WINDOWS_FILE ^(?:c\:\\users\\\<user\>\\appdata\\roaming\\microsoft\\windows\\start\ menu\\programs\\startup)($|\\) [startup]$1
ALL WINDOWS_FILE ^(?:c\:\\users\\\<user\>\\appdata\\roaming\\microsoft\\windows\\start\ menu)($|\\) [start menu]$1
ALL WINDOWS_FILE ^(?:c\:\\users\\\<user\>\\appdata\\roaming\\microsoft\\windows\\templates)($|\\) [templates]$1
ALL WINDOWS_FILE ^(?:c\:\\users\\\<user\>\\appdata\\roaming)($|\\) [appdata]$1
ALL WINDOWS_FILE ^(?:c\:\\users\\\<user\>\\appdata\\local\\temp)($|\\) [temp]$1
ALL WINDOWS_FILE ^(?:c\:\\users\\\<user\>\\appdata\\local)($|\\) [appdata (local)]$1
ALL WINDOWS_FILE ^(?:c\:\\users\\\<user\>\\appdata\\locallow)($|\\) [appdata (local low)]$1
ALL WINDOWS_FILE ^(?:c\:\\users\\\<user\>\\desktop)($|\\) [desktop]$1
ALL WINDOWS_FILE ^(?:c\:\\users\\\<user\>\\documents)($|\\) [documents]$1
ALL WINDOWS_FILE ^(?:c\:\\users)($|\\) [users]$1
ALL WINDOWS_FILE ^(?:c\:\\windows\\serviceprofiles\\networkservice\\appdata\\roaming\\microsoft\\windows\\start\ menu)($|\\) [start menu (network service)]$1
ALL WINDOWS_FILE ^(?:c\:\\windows\\serviceprofiles\\localservice\\appdata\\roaming\\microsoft\\windows\\start\ menu)($|\\) [start menu (local service)]$1
ALL WINDOWS_FILE ^(?:c\:\\windows\\system32\\config\\systemprofile)($|\\) [system profile]$1
ALL WINDOWS_FILE ^(?:c\:\\windows\\syswow64\\config\\systemprofile)($|\\) [system profile x86]$1
ALL WINDOWS_FILE ^(?:c\:\\windows\\fonts)($|\\) [fonts]$1
ALL WINDOWS_FILE ^(?:c\:\\windows\\system)($|\\) [system 16]$1
ALL WINDOWS_FILE ^(?:c\:\\windows\\system32)($|\\) [system]$1
ALL WINDOWS_FILE ^(?:c\:\\windows\\syswow64)($|\\) [system x86]$1
ALL WINDOWS_FILE ^(?:c\:\\windows\\winsxs)($|\\) [winsxs]$1
ALL WINDOWS_FILE ^(?:c\:\\windows)($|\\) [windows]$1
ALL WINDOWS_REGISTRY \\registry\\a [registry (apps)]
ALL WINDOWS_REGISTRY \\registry\\machine\\system\\controlset00\d [control set]
ALL WINDOWS_REGISTRY \\registry\\machine [registry (machine)]
ALL WINDOWS_REGISTRY \\registry\\user\\s-1-5-18 [registry (user)]\\[local system]
ALL WINDOWS_REGISTRY \\registry\\user\\s-1-5-19 [registry (user)]\\[local service]
ALL WINDOWS_REGISTRY \\registry\\user\\s-1-5-20 [registry (user)]\\[network service]
ALL WINDOWS_REGISTRY \\registry\\user\\\.default [registry (user)]\\<user>
ALL WINDOWS_REGISTRY \\registry\\user\\s-1-5-[0-9]{1,2}(?:(?:-[0-9]{10}){3}-[0-9]{3,4})? [registry (user)]\\<user>
ALL WINDOWS_REGISTRY \\registry\\user\\<user> [registry (user)]\\<user>
ALL WINDOWS_REGISTRY \\registry\\user\\nt authority\\local system [registry (user)]\\[local system]
ALL WINDOWS_REGISTRY \\registry\\user\\nt authority\\local service [registry (user)]\\[local service]
ALL WINDOWS_REGISTRY \\registry\\user\\nt authority\\network service [registry (user)]\\[network service]
ALL WINDOWS_REGISTRY \\registry\\user\\[^\\]+\\[^\\]*(_classes|)($|\\) [registry (user)]\\<user>$1$2
ALL WINDOWS_REGISTRY \\registry\\user [registry (user)]
ALL WINDOWS_REGISTRY \\wow6432node
ALL WINDOWS_FILE ^\[program\ data\]\\microsoft\\windows\\wer\\reportqueue($|\\).*$ [program data]\\microsoft\\windows\\wer\\reportqueue\\\\<*>
ALL WINDOWS_REGISTRY ^\[registry\ \(user\)\]\\\<user\>\\software\\classes\\software\\microsoft\\windows\\currentversion\\deployment\\sidebyside($|\\).*$ [registry (user)]\\<user>\\software\\classes\\software\\microsoft\\windows\\currentversion\\deployment\\sidebyside\\\\<*>
ALL WINDOWS_FILE ^\[appdata\ \(local\)\]\\apps($|\\).*$ [appdata (local)]\\apps\\\\<*>
ALL WINDOWS_FILE ^\[windows\]\\microsoft\.net\\framework($|\\).*$ [windows]\\microsoft.net\\framework\\\\<*>
ALL WINDOWS_FILE \[windows\]\\assembly(?:\\.*)*(\\.*$) [windows]\\assembly\\<*>$1
ALL WINDOWS_FILE \[windows\]\\prefetch\\(.*)-.*\.pf$ [windows]\\prefetch\\$1<*>.pf
ALL WINDOWS_FILE \[winsxs\](?:\\.*)*(\\.*$) [winsxs]\\<*>$1