full __h_exename_q
/\bname=("?).+?\.(?:bas|bat|cmd|com|cpl|exe|js|jse|msi|mst|pcd|pif|reg|scr|sct|vb|vbe|vbs|wsc|wsf|wsh|xsl)\1[[:blank:]]*(?:;|$)/mi
rawbody __b_exename_q
/\bname=("?).+?\.(?:bas|bat|cmd|com|cpl|exe|js|jse|msi|mst|pcd|pif|reg|scr|sct|vb|vbe|vbs|wsc|wsf|wsh|xsl)\1[[:blank:]]*(?:;|$)/mi
meta ms_executable (__h_exename_q && !__b_exename_q)
describe ms_executable Suspect Microsoft executable
score ms_executable 107
- Re: a simple rule for detecting Microsoft executables Francesco Potorti`
- Re: a simple rule for detecting Microsoft executab... Theo Van Dinter
- Re: a simple rule for detecting Microsoft exec... Francesco Potorti`
- Re: a simple rule for detecting Microsoft ... Theo Van Dinter
