full __h_exename_q /\bname=("?).+?\.(?:bas|bat|cmd|com|cpl|exe|js|jse|msi|mst|pcd|pif|reg|scr|sct|vb|vbe|vbs|wsc|wsf|wsh|xsl)\1[[:blank:]]*(?:;|$)/mi rawbody __b_exename_q /\bname=("?).+?\.(?:bas|bat|cmd|com|cpl|exe|js|jse|msi|mst|pcd|pif|reg|scr|sct|vb|vbe|vbs|wsc|wsf|wsh|xsl)\1[[:blank:]]*(?:;|$)/mi meta ms_executable (__h_exename_q && !__b_exename_q) describe ms_executable Suspect Microsoft executable score ms_executable 107
- Re: a simple rule for detecting Microsoft executables Francesco Potorti`
- Re: a simple rule for detecting Microsoft executab... Theo Van Dinter
- Re: a simple rule for detecting Microsoft exec... Francesco Potorti`
- Re: a simple rule for detecting Microsoft ... Theo Van Dinter