Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
2 contributors

Users who have contributed to this file

@LabSekoia @SyBen
41 lines (40 sloc) 1.53 KB
[profiles]
packages=fast
[extension]
random=False
#[env]
#HOMEDRIVE=C:
[dump]
dump=mft,ram,mbr,registry
mft_export=True
[registry]
custom_registry_keys="HKCU\SOFTWARE\Locky"
registry_recursive=False
get_autoruns=True
[output]
type=csv
destination=local
dir=output
[filecatcher]
all_users=True
path=%USERPROFILE%/AppData|*
mime_filter=application/msword;application/octet-stream;application/x-archive;application/x-ms-pe;application/x-ms-dos-executable;application/x-lha;application/x-dosexec;application/x-elc;application/x-executable, statically linked, stripped;application/x-gzip;application/x-object, not stripped;application/x-zip;text/html;text/rtf;text/xml;UTF-8 Unicode HTML document text, with CRLF line terminators;UTF-8 Unicode HTML document text, with very long lines, with CRLF, LF line terminators
mime_zip=application/x-ms-pe;application/x-ms-dos-executable;application/x-dosexec;application/x-executable, statically linked, stripped
compare=AND
size_min=1k
size_max=100M
ext_file=*
zip_ext_file=*
zip=True
limit_days=unlimited
[modules]
pe
yara
[pe]
pe_mime_type=application/x-ms-pe;application/x-ms-dos-executable;application/x-ms-pe;application/x-dosexec;application/x-executable, statically linked, stripped
filtered_certificates=True
cert_filtered_issuer=issuer;O=Microsoft Corporation|Microsoft Time-Stamp PCA|Microsoft Time-Stamp PCA Microsoft Windows Verification PCA
cert_filtered_subject=subject;O=Microsoft Corporation|Microsoft Time-Stamp Service|Microsoft Time-Stamp Service Microsoft Windows
[yara]
filtered_yara=False
dir_rules=yara-rules
You can’t perform that action at this time.