| <and> | |
| <!-- Agent IP --> | |
| <add asArray="true"> | |
| <varstring name="AgentIP" scope="event"/> | |
| <varstring name="temp-CustomRuleData" scope="event"/> | |
| </add> | |
| <add asArray="false"> | |
| <varstring name="temp-CustomRuleData" scope="event"/> | |
| <agentIPAddress/> | |
| </add> | |
| <set> | |
| <varstring name="temp-CustomRuleData" scope="event"/> | |
| <string value=" " preserveCase="true"/> | |
| </set> | |
| <not> | |
| <in op = "like" match = "any"> | |
| <evtSrcFilePath /> | |
| <list> | |
| <string value = "%\roaming\%" /> | |
| <string value = "%\AppData\Roaming\%" /> | |
| <string value = "%\documents\wechat files\%" /> | |
| <string value = "%\program files (x86)\tencent\wechat\chat\filetype\%" /> | |
| </list> | |
| </in> | |
| </not> | |
| <not> | |
| <in op = "like" match = "any"> | |
| <evtSrcFileExt /> | |
| <list> | |
| <string value = "" /> | |
| </list> | |
| </in> | |
| </not> | |
| <!-- | |
| <in> | |
| <evtSrcFileExt /> | |
| <list> | |
| <string value="zip" /> | |
| <string value="ppt" /> | |
| <string value="pptx" /> | |
| <string value="doc" /> | |
| <string value="docx" /> | |
| <string value="xls" /> | |
| <string value="xlsx" /> | |
| <string value="txt" /> | |
| <string value="rar" /> | |
| <string value="mp4" /> | |
| <string value="MP4" /> | |
| <string value="catpart" /> | |
| <string value="CATProduct" /> | |
| <string value="model" /> | |
| <string value="prt" /> | |
| <string value="asm" /> | |
| <string value="drw" /> | |
| <string value="cgr" /> | |
| <string value="catdrawing" /> | |
| <string value="catanalysis" /> | |
| <string value="catfct" /> | |
| <string value="cgm" /> | |
| <string value="jpg" /> | |
| <string value="jpeg" /> | |
| <string value="png" /> | |
| <string value="gif" /> | |
| <string value="pdf" /> | |
| <string value="rtf" /> | |
| </list> | |
| </in> | |
| --> | |
| <in> | |
| <curProcessImageName /> | |
| <list> | |
| <string value="KakaoTalk.exe" /> | |
| <string value="NateOnMain.exe" /> | |
| <string value="lync.exe" /> | |
| <string value="AutowayMplusService.exe" /> | |
| <string value="Teams.exe" /> | |
| <string value="Squirrel.exe" /> | |
| <string value="Zoom.exe" /> | |
| <string value="BreakOut.exe" /> | |
| <string value="RTX.exe" /> | |
| <string value="wechat.exe" /> | |
| <string value="dingtalklauncher.exe" /> | |
| <string value="dingtalk.exe" /> | |
| <string value="qqsclauncher.exe" /> | |
| <string value="wxwork.exe" /> | |
| <string value="baidunetdisk.exe" /> | |
| <string value="weiyunapp.exe" /> | |
| <string value="wemeetapp.exe" /> | |
| <string value="E-Mobile.exe" /> | |
| <string value="Feishu.exe" /> | |
| <string value="qq.exe" /> | |
| </list> | |
| </in> | |
| <in> | |
| <evtOperationType /> | |
| <list> | |
| <constOpFileCopy /> | |
| <!-- | |
| <constOpFileOpen /> | |
| <constOpFileRename /> | |
| --> | |
| <constOpFileRead /> | |
| <constOpAdePaste /> | |
| <constOpFileMove /> | |
| <constOpNetTransferUpload /> | |
| </list> | |
| </in> | |
| </and> |