Supported environment variables
Use the following variables in the rules if you want to match a specific system path. These variables substitute the system path of an event being executed on a client machine. Only events using such variables will be processed by a rule. Therefore, c:\windows\system32 and also %WINDIR%\system32 will not be matched, but %SYSTEM% will.
Windows
%SYSTEM% |
%SYSTEMDRIVE%\windows\system32\ |
---|---|
%WINDIR% |
%SYSTEMDRIVE%\windows\ |
%PROGRAMDATA% |
%SYSTEMDRIVE%\programdata\ |
%PROGRAMFILES% |
%SYSTEMDRIVE%\program files\ |
%PROGRAMFILES(X86)% |
%SYSTEMDRIVE%\program files (x86)\ |
%APPDATA% |
%SYSTEMDRIVE%\users\*\appdata\roaming\ |
%LOCALAPPDATA% |
%SYSTEMDRIVE%\users\*\appdata\local\ |
%HOME% |
%SYSTEMDRIVE%\users\*\ |
%TMP% |
%SYSTEMDRIVE%\users\*\appdata\local\temp\ |
HKCU |
REGISTRY ONLY! Computer\HKEY_CURRENT_USER\ |
HKLM |
REGISTRY ONLY! Computer\HKEY_LOCAL_MACHINE\ |
%RemovableDrive% |
Points to place on any removable drive |
%RemoteDrive% |
Points to place on any remote drive |
%CDROM% |
Points to place on any CD-ROM drive |
%COMMONAPPDATA% |
%ALLUSERSPROFILE% |
%COMMONDESKTOP% |
%PUBLIC%\desktop\ |
%COMMONDOCUMENTS% |
%PUBLIC%\documents\ |
%COMMONPROGRAMS% |
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ |
%COMMONSTARTMENU% |
%ALLUSERSPROFILE%\microsoft\windows\start menu\ |
%COMMONSTARTUP% |
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup\ |
%COMMONTEMPLATES% |
%ALLUSERSPROFILE%\microsoft\windows\templates\ |
%COMMONMUSIC% |
%PUBLIC%\music\ |
%COMMONPICTURES% |
%PUBLIC%\pictures\ |
%COMMONVIDEO% |
%PUBLIC%\video\ |
%STARTMENU% |
%SYSTEMDRIVE%\users\*\appdata\roaming\microsoft\windows\start menu\ |
%STARTUP% |
%SYSTEMDRIVE%\users\*\appdata\roaming\microsoft\windows\start menu\programs\startup\ |
%DESKTOP% |
%SYSTEMDRIVE%\users\*\desktop\ |
%LOCALAPPDATALOW% |
%SYSTEMDRIVE%\users\*\appdata\locallow\ |
%TEMP% |
%SYSTEMDRIVE%\users\*\appdata\local\temp\ |
%SYSTEMDRIVE% |
usually “C:” |
%ALLUSERSPROFILE% |
= %PROGRAMDATA% = c:\programdata |
%PUBLIC% |
c:\users\public |
%CANARYFILE% |
Path to Canary file |
Apple
%APPLICATIONS% |
/applications/ |
---|---|
%COMMONSTARTUPADMIN% |
/library/startupitems/ |
%COMMONSTARTUPOS% |
/system/library/startupitems/ |
%DESKTOPMAC% |
~/desktop/ |
%DOCUMENTSMAC% |
~/documents/ |
%DOWNLOADSMAC% |
~/downloads/ |
%HOMEMAC% |
~/ |
%LIBRARY% |
/library/ |
%LIBRARYAPPSUPPORT% |
/library/application support/ |
%LIBRARYEXTENSIONS% |
/library/extensions/ |
%LIBRARYKEYCHAINS% |
/library/keychains/ |
%LIBRARYPREFERENCES% |
/library/preferences/ |
%VOLUMES% |
/volumes/ |
%MOVIES% |
~/movies/ |
%MUSICMAC% |
~/music/ |
%NET% |
/net/ |
%PICTURESMAC% |
~/pictures/ |
%PROCSTARTBOOTBYADMIN% |
/library/launchdaemons/ |
%PROCSTARTBOOTBYOS% |
/system/library/launchdaemons/ |
%PROCSTARTUSERBYADMIN% |
/library/launchagents/ |
%PROCSTARTUSERBYOS% |
/system/library/launchagents/ |
%PROCSTARTUSERBYUSER% |
~/library/launchagents/ |
%PUBLIC% |
~/public/ |
%SYSTEMLIBRARY% |
/system/library/ |
%SYSTEMLIBRARYEXTENSIONS% |
/system/library/extensions/ |
%SYSTEMLIBRARYPREFERENCES% |
/system/library/preferences/ |
%TMPMAC% |
/tmp/ |
%TMPDIRVAR% |
/var/folders and /private/var/folders |
%TMPLIBRARY% |
/library/caches/ |
%TMPLOCALLIBRARY% |
~/library/caches/ |
%TMPPRIVATE% |
/private/tmp/ |
%USERLIBRARY% |
~/library/ |
%USERLIBRARYAPPSUPPORT% |
~/library/application support/ |
%USERLIBRARYKEYCHAINS% |
~/library/keychains/ |
%USERLIBRARYPREFERENCES% |
~/library/preferences/ |
%USERSMAC% |
/users/ |
Linux
%DESKTOPLINUX% |
~/Desktop/ |
---|---|
%DOCUMENTSLINUX% |
~/Documents/ |
%DOWNLOADSLINUX% |
~/Downloads/ |
%HOMELINUX% |
~/ |
%VOLUMESLINUX% |
/mnt/ or /media/username/ |
%TMPLINUX% |
/tmp/ |
%CRON% |
/etc/crontab |
%CRONHOURLY% |
/etc/cron.hourly/ |
%CRONDAILY% |
/etc/cron.hourly/ |
%CRONWEEKLY% |
/etc/cron.hourly/ |
%ETCSYSTEMD% |
/etc/systemd/ |
%LIBSYSTEMD% |
/lib/systemd/ |
%USRLIBSYSTEMD% |
/usr/lib/systemd/ |
%RUNSYSTEMD% |
/run/systemd/ |
Example of use
<process> |