-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpatterns.json
39 lines (39 loc) · 2.39 KB
/
patterns.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
{
"FileInstall, .*": "File installation from external source",
"Run, \"?.*\\.exe\"?": "Execution of executable file",
"RegWrite, .*": "Registry modification",
"pwhr := COM_CreateObject\\(\"WinHttp\\.WinHttpRequest\\.5\\.1\"\\)": "HTTP request creation",
"RunAsAdmin\\(\\)": "Attempted privilege escalation",
"download_file_nofreeze\\(.+\\)": "File download",
"sonlandir\\(\".+\"\\)": "Process termination",
"simge_arguman_degis\\(.+, .+\\)": "Shortcut modification",
"DllCall\\(\"LoadLibrary\", \"Str\", \".+\"\\)": "Dynamic library loading",
"Run, sc stop .*": "Service stop command",
"Run, sc delete .*": "Service deletion command",
"COM_GetDefaultEvents": "Access to COM events",
"COM_GetGuidOfName": "GUID retrieval from name",
"COM_GetTypeInfoOfGuid": "Type information retrieval for GUID",
"COM_ConnectObject": "Connection establishment to COM object",
"COM_ScriptControl": "Script execution control",
"RegExMatch\\(.*, \".*\"\\)": "Regular expression usage with dynamic pattern",
"Scripting.Dictionary": "Scripting.Dictionary object usage",
"FileOpen, .+, W": "FileOpen with write mode",
"Send, .+": "Direct keyboard input (Send command)",
"Critical, .+": "Critical section for interrupt prevention",
"WinActivate, .+": "Window activation",
"Process, .+": "Process manipulation (Process command)",
"IfWinActive, .+": "Conditional window activation",
"SetFormat, .+": "SetFormat function for variable formatting",
"VarSetCapacity, .+": "Memory allocation with VarSetCapacity",
"DetectHiddenWindows, .+": "DetectHiddenWindows function call",
"ControlSend, .+": "Sending control-specific messages (ControlSend command)",
"WinWaitClose, .+": "Waiting for window closure (WinWaitClose command)",
"WinClose, .+": "Force-closing a window (WinClose command)",
"SetEnv, .+": "Setting environment variables (SetEnv command)",
"EnvGet, .+": "Retrieving environment variables (EnvGet command)",
"WinGet, OutputVar, ProcessName, A": "Retrieving process name of active window",
"SplitPath, OutputVar, OutNameNoExt": "Splitting file path to get name without extension",
"Run Taskkill /IM %OutNameNoExt% /F": "Forcibly terminating processes by name",
"Input, Key, L1 B T1 I V": "Capturing keystrokes",
"browse\\.navigate\\(\"http[s]?://[^\"].*\"\\)": "Navigating to URL with potentially sensitive data"
}