; ; Geswall rule's attributes file - assign rule attributes to objects ; ; File format: ; ; Constants ; ; [Rule1 ID] ; ; record1 ; record2 ; ... ; recordN ; ; ; [Rule2 ID] ; ; record1 ; record2 ; ... ; recordM ; ; .... ; ;-------------------------------------------- ; Constant definition: ; ; ConstantName = Values ;-------------------------------------------- ; Rules ID is 4 symbols identifier of the rule ;-------------------------------------------- ; Record format: ; ; attr1 attr2 attr3 attr4 attr5 ObjectType DetectionType DetectionString ;-------------------------------------------- ; attr1, attr2, attr3 attr4 attr5 - rule attributes, decimal numbers or constants defined at file header. ; All 5 attributes have to be specified, comma is used instead undefined attribute. ; Meaning of each attribute is not defined and depends on the rule ;-------------------------------------------- ; ObjectType may be: ; ; any - all objects ; file - files, named pipes and devices ; key - registry keys ; device - device object ;-------------------------------------------- ; DetectionType define value of DetectionString and may be: ; ; n - by object name, DetectionString - is begin of object name ; o - owner from security descriptor, DetectionString - is name of user or group in format [Domain\]User ; ; Registry key name must begin on HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, ; HKEY_USERS or HKEY_CLASSES_ROOT and instead of CurrentControlSet: ControlSet001, ControlSet002, ; ControlSet003 and ControlSet004 should be used. ; modUndefined = 0 modUntrusted = 1 modThreatPoint = 2 modTrusted = 3 modTCB = 4 cflUndefined = 0 cflLeakSource = 1 cflClassified = 2 cflSecret = 3 cflTopSecret = 4 [GSWL] ,,,modUntrusted, file n %SystemRoot%\geswall\redirect\ ,,cflSecret,, file n %USERPROFILE%\My Documents\Classified ,,cflLeakSource modThreatPoint, device n \Device\Tcp ,,cflLeakSource modThreatPoint, device n \Device\Udp ,,cflLeakSource modThreatPoint, device n \Device\RawIp ,,cflLeakSource modThreatPoint, device n \Device\Ip ,,,modTCB, all o Administrators ,,,modTCB, all o System ,,,modTCB, file o Administrator ,,,modTCB, key o Administrator ,,,modTCB, file n %SystemRoot%\systen32\drivers # # Script engines # 1,,,, file n %CommonProgramFiles%\Microsoft Shared\VBA\VBA6\VBE6.DLL ;1,,,, file n %SystemRoot%\system32\vbscript.dll ;1,,,, file n %SystemRoot%\system32\jscript.dll 1,,,, file n %SystemRoot%\system32\ntvdm.exe 101,,,, file n %SystemRoot%\system32\services.exe 102,,,, file n %SystemRoot%\system32\svchost.exe 103,,,, file n %SystemRoot%\system32\msdtc.exe 104,,,, file n %SystemRoot%\system32\mstask.exe 105,,,, file n %SystemRoot%\system32\lsass.exe 106,,,, file n %SystemRoot%\system32\winlogon.exe 107,,,, file n %SystemRoot%\explorer.exe 108,,,, file n %SystemRoot%\system32\spoolsv.exe 109,,,, file n %SystemRoot%\system32\userinit.exe 110,,,, file n %SystemRoot%\system32\mmc.exe 111,,,, file n %SystemRoot%\regedit.exe 112,,,, file n %SystemRoot%\system32\regedt32.exe 113,,,, file n %SystemRoot%\system32\taskmgr.exe ,101,,, file n \Device\NamedPipe\ntsvcs ,105,,, file n \Device\NamedPipe\lsass