FileItem/DestFileItem
Return the information about the current file
Property |
Type |
Description |
Example |
|---|---|---|---|
FileNameWithoutExtension |
String |
Filename without the file extension |
C:\windows\system32\notepad.exe -> notepad |
Extension |
String |
The file extension |
C:\windows\system32\notepad.exe -> exe |
Path |
Path |
The file path |
C:\windows\system32\notepad.exe -> C:\windows\system32\ |
FullPath |
Path |
The file path including filename |
C:\windows\system32\notepad.exe -> C:\windows\system32\notepad.exe |
FileName |
String |
The filename with the file extension |
C:\windows\system32\notepad.exe -> notepad.exe |
NameLength |
Int |
The length of the name |
C:\windows\system32\notepad.exe -> 7 |
ADS |
String |
The ADS part of the path |
C:\windows\system32\notepad.exe:example -> example |
isSelf |
Bool |
Triggers if the operation is done by the file on itself (common for malware to delete itself) |
true/false |
DestFileItem has the same properties as FileItem, used mostly in combination with FileItem.
Canary File
Path properties have a special variable for Canary files. The value to specify the path to the Canary file is %CanaryFile%.
<definition> <operations> <operation type="WriteFile"> <condition component="FileItem" property="Path" condition="is" value="%CanaryFile%" /> </operation> <operation type="RenameFile"> <condition component="FileItem" property="Path" condition="is" value="%CanaryFile%" /> </operation> </operations> </definition> |
Supported Operations and their components:
|
FileItem |
DestFileItem |
|---|---|---|
CodeInjection |
X |
|
CreateNamedPipe |
X |
|
CreateProcess |
X |
|
DeleteFile |
X |
|
LoadDLL |
X |
|
LoadDriver |
X |
|
ModuleDrop |
X |
|
OpenProcess |
X |
|
ReadFile |
X |
|
RenameFile |
X |
X |
SetFileAttribute |
X |
|
TruncateFile |
X |
|
WmiExecution |
X |
|
WriteFile |
X |
|