-
Notifications
You must be signed in to change notification settings - Fork 157
/
reference-absolute-stream-path-on-windows.yml
31 lines (31 loc) · 1.4 KB
/
reference-absolute-stream-path-on-windows.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
rule:
meta:
name: reference absolute stream path on Windows
namespace: host-interaction/file-system
authors:
- blas.kojusner@mandiant.com
- william.ballenthin@mandiant.com
scope: basic block
references:
- https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
examples:
- 51828683DC26BFABD3994494099AE97D:0x11A9
features:
- and:
- string: /^(\\\\\?\\)?([\w]\:|\\)(\\((?![\<\>\"\/\|\*\?\:\\])[\x20-\x5B\x5D-\x7E])+)+\:\$?[a-zA-Z0-9_]+/
# ^(\\\\\?\\)? -> Check for path starting with "\\?\"
# ([\w]\:|\\) -> Check for absolute path beginning
# (\\((?![\<\>\"\/\|\*\?\:\\])[\x20-\x5B\x5D-\x7E])+)+ -> Check for valid path and filename
# \\ -> Check for double backslash path separator
# (?![\<\>\"\/\|\*\?\:\\]) -> path component must not start with <, >, ", ...
# [\x20-\x5B\x5D-\x7E] -> path component must be printable ASCII, except backslash path separator
# : -> Check for start of stream filename
# \$?[a-zA-Z0-9_]+ -> Check for valid stream filename
### Example Matches:
### \\\\server\\share\\file:stream
### \\\\server\\share\\dir.ext\\file.ext:stream
### \\\\server\\share\\dir\\file.ext:stream.ext
### \\\\?\\C:\\dir1\\dir2\\file:stream
### C:\\dir\\file:stream.ext
### d:\\myfile.dat:stream1
### c:\\string:myfile.dat