FileItem
Return the information about the current file
Property |
Type |
Description |
Example |
|---|---|---|---|
ADS |
String |
The ADS part of the path |
C:\windows\system32\notepad.exe:example -> example |
Extension |
String |
The file extension |
C:\windows\system32\notepad.exe -> exe |
FileName |
String |
The filename with the file extension |
C:\windows\system32\notepad.exe -> notepad.exe |
FileNameWithoutExtension |
String |
Filename without the file extension |
C:\windows\system32\notepad.exe -> notepad |
FullPath |
Path |
The file path including filename |
C:\windows\system32\notepad.exe -> C:\windows\system32\notepad.exe |
NameLength |
Int |
The length of the name |
C:\windows\system32\notepad.exe -> 7 |
Path |
Path |
The file path |
C:\windows\system32\notepad.exe -> C:\windows\system32\ |
isSelf |
Bool |
Triggers if the operation is done by the file on itself (common for malware to delete itself) |
true/false |
Canary File
Path properties have a special variable for Canary files. The value to specify the path to the Canary file is %CanaryFile%.
<definition> <operations> <operation type="WriteFile"> <condition component="FileItem" property="Path" condition="is" value="%CanaryFile%" /> </operation> </operations> </definition> |
Supported operations
•Codeinjection
•CreateNamedPipe
•CreateProcess
•DeleteFile
•LoadDLL
•LoadDriver
•ModuleDrop
•OpenProcess
•ReadFile
•RenameFile
•ScheduledTaskAdded
•ServiceInstalled
•ServiceStarted
•SetFileAttribute
•TruncateFile
•UnloadDriver
•VirtualDiskMounted
•WmiExecution
•WriteFile