-
Notifications
You must be signed in to change notification settings - Fork 90
/
CUSTOM_PATH_TEMPLATE.txt
177 lines (166 loc) · 6.38 KB
/
CUSTOM_PATH_TEMPLATE.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
#===========================================#
# CyLR Custom File Path Collection Template #
#===========================================#
#
# This file contains example methods for specifying file or folder paths to
# collect with CyLR.
#
#################
# General Usage #
#################
#
# CyLR contains default paths per-operating system that it will collect if you
# do not specify this file. This file allows you to replace or extend the
# default collection capability of CyLR.
#
# To configure CyLR to only collect the paths specified in this file, you can
# provide this file at execution time as `CyLR.exe -c custom.txt` (where
# custom.txt is this file's name and relative location). If you would like to
# collect both default and custom items, you can accomplish this with `-d` in
# place of `-c`. If you only want to collect default items, you can omit either
# argument.
#
###################################
# Specifying custom path patterns #
###################################
#
# This configuration file supports comments, meaning lines with a leading `#`
# are ignored and not evaluated further; this is for the purpose of custom file
# documentation, such as in this file, and for your own documentation as you
# build out custom configurations for collections.
#
# When specifying a file or folder path to collect, you will want to use the
# format of:
# {pattern_type} {file_or_folder_path}
#
# This format specifies the pattern type and target folder or file path,
# delimited by a tab character. *Please be sure to validate that the delimiter
# is a tab character and not a series of space characters.*
#
# *Please note distinction between file and folder pattern support.*
#
# There are four supported pattern types:
# * static -> Full path specification to a specific file
# * glob -> Supports glob patterns for collection, such as `/path/**` or
# `/Users/*/.*history`. Where possible, this should be used in place
# of regex due to performance. Most common use case is to recursively
# collect a path with a pattern such as `/path/**`.
# * regex -> Support regular expressions in paths.
# * force -> Try to collect a static path even if the path is not found during
# the file system enumeration.
#
# There is no requirements for the file path specified so long as it is tab
# delimited from the pattern type. The file path can contain spaces and special
# characters so long as the dotnet file system library is able to interpret it.
#
# Please note that in order to collect all items in a folder, or recursively on
# a path, you will need to use glob paths. We will dive into more details for
# each of these pattern types below.
#
#***************************#
# * IMPORTANT INFORMATION * #
#***************************#
#
# All patterns (except force) will attempt to match against an enumeration of
# files on a system. This enumeration is performed by an internal function and
# is subject to the permissions granted at runtime. If a discovered path is
# responsive to a pattern, it is added to the collection queue.
#
# The `force` pattern type specifies to attempt collection regardless of
# whether the file is available through enumeration. For this reason, it must
# be a static full path for collection.
#
# All pattern matching is case insensitive.
#
# Please specify the path delimiter for the system targeted. This means "/" for
# UNIX-like systems and "\" for Windows systems.
#
#+++++++++++++++++#
# Static patterns #
#+++++++++++++++++#
#
# This pattern format is the most basic and can be used to collect a single
# file at a known location. This path must be discovered during file system
# enumeration to queue for collection.
#
# Examples:
static C:\Windows\System32\Config\SOFTWARE
static /etc/group
#++++++++++++++++#
# Force patterns #
#++++++++++++++++#
#
# This pattern format is the the same as static, but will add the file to the
# collection queue regardless of whether the file is present in the file system
# enumeration operation.
#
# This is useful for collecting hidden/hard to access artifacts such as
# alternate data streams.
#
# Examples:
force C:\$Extend\$UsnJrnl:$J
#++++++++++++++++#
# Glob patterns #
#++++++++++++++++#
#
# This pattern format is useful for when a basic pattern is needed to collect
# responsive files.
#
# Recursive collections
#
# The most common use case is for collecting files recursively. This is
# achieved through using two sequential asterisk characters at the tail end of
# the path.
#
# Examples:
glob /var/log/**
# Wildcards
#
# Another common use case is the wildcard, specified as a single asterisk
# character within a path segment. This Wildcard will match any character
# except a path delimiter. This means we can specify patterns that match a
# particular file name within any sub directory.
#
# We can also use wildcards to match on parts of a file name within a path
# segment. Some use cases include collecting all files with a particular
# extension or all files with the same name but differing extensions.
#
# Examples:
glob C:\Users\*\NTUser.dat
glob /home/*/.bash_history
glob C:\Users\*\Appdata\Roaming\Microsoft\Windows\Recent\*.lnk
glob /root/.*_history
# Other patterns
#
# Globbing supports more patterns specified here:
# * https://github.com/dazinator/DotNet.Glob/blob/a21476b1078a3b49070bdb4bfde07030739e641d/README.md
#
# You can also combine the patterns into a single line, allowing you to specify
# patterns like those below. While regex may provide a more succinct manner
# to specify the pattern, glob should be favored for performance reasons.
#
# Examples:
glob C:\Windows\Temp\[A-Z][A-Z][A-Z][A-Z]\*.exe
glob C:\ProgramData\[A-Z][A-Z][A-Z][A-Z].exe
glob C:\**\*.docm
glob C:\**\r*.exe
#++++++++++++++++#
# Regex patterns #
#++++++++++++++++#
#
# Allows the specification of advanced patterns for detection. This is the
# slowest method and should be leveraged if pattern functionality available
# through the other options is insufficient.
#
# This supports patterns specified by dotnet's regex implementation, documented
# here:
#
#
# Please note that the patterns are matched as a substring across a full path.
# This means a pattern of `[0-9]{8}` would match on any file system path
# containing eight numbers sequentially. You can leverage `^` to indicate the
# start of a file path, and `$` to denote the end.
#
# Examples:
regex ^C:\ProgramData\[A-Za-z]{8}\[A-Za-z]{5}.exe$
regex [0-9]+.exe