-
Notifications
You must be signed in to change notification settings - Fork 126
/
FastIR.conf.sample
40 lines (40 loc) · 1.53 KB
/
FastIR.conf.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[profiles]
packages=fast
[extension]
random=False
#[env]
#HOMEDRIVE=C:
[dump]
dump=mft,ram,mbr,registry
mft_export=True
[registry]
custom_registry_keys="HKCU\SOFTWARE\Locky"
registry_recursive=False
get_autoruns=True
[output]
type=csv
destination=local
dir=output
[filecatcher]
all_users=True
path=%USERPROFILE%/AppData|*
mime_filter=application/msword;application/octet-stream;application/x-archive;application/x-ms-pe;application/x-ms-dos-executable;application/x-lha;application/x-dosexec;application/x-elc;application/x-executable, statically linked, stripped;application/x-gzip;application/x-object, not stripped;application/x-zip;text/html;text/rtf;text/xml;UTF-8 Unicode HTML document text, with CRLF line terminators;UTF-8 Unicode HTML document text, with very long lines, with CRLF, LF line terminators
mime_zip=application/x-ms-pe;application/x-ms-dos-executable;application/x-dosexec;application/x-executable, statically linked, stripped
compare=AND
size_min=1k
size_max=100M
ext_file=*
zip_ext_file=*
zip=True
limit_days=unlimited
[modules]
pe
yara
[pe]
pe_mime_type=application/x-ms-pe;application/x-ms-dos-executable;application/x-ms-pe;application/x-dosexec;application/x-executable, statically linked, stripped
filtered_certificates=True
cert_filtered_issuer=issuer;O=Microsoft Corporation|Microsoft Time-Stamp PCA|Microsoft Time-Stamp PCA Microsoft Windows Verification PCA
cert_filtered_subject=subject;O=Microsoft Corporation|Microsoft Time-Stamp Service|Microsoft Time-Stamp Service Microsoft Windows
[yara]
filtered_yara=False
dir_rules=yara-rules