-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathSeeBee.SBC
39 lines (39 loc) · 1.52 KB
/
SeeBee.SBC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<?xml version="1.0" encoding="UTF-8"?>
<SeeBee>
<Filters>
<Create>
<Filter name="DefaultUserProcesses" appliesOn="Processes" property="ProcessName" operator="Equals">
notepad.exe, explorer.exe, iexplore.exe, firefox.exe, chrome.exe
</Filter>
<Filter name="DefaultSystemProcesses" appliesOn="Processes" property="ImagePath" operator="StartsWith">
gpupdate.exe, conhost.exe, svchost.exe, winlogon.exe, csrss.exe, lsass.exe, WUDFHost.exe, spoolsv.exe, unsecapp.exe
</Filter>
<Filter name="RunningProcesses" appliesOn="Processes" property="FinishTime" operator="Equals">
0
</Filter>
<Filter name="CompletedProcesses" appliesOn="Processes" property="FinishTime" operator="NotEquals">
0
</Filter>
<Filter name="HasLoadedWindowsDlls" appliesOn="Processes" property="Modules" operator="Contains">
user32.dll, advapi32.dll
</Filter>
<Filter name="SomeGenericProcesses" appliesOn="Events" property="Operation" operator="Equals">
"Load Image", QueryBasicInformationFile
</Filter>
<Filter name="SomeGenericProcesses" appliesOn="Events" property="Operation" operator="Equals">
"Load Image", QueryBasicInformationFile
</Filter>
</Create>
<Conditions>
<Condition action="Exclude" operator="And">
DefaultUserProcesses, DefaultSystemProcesses
</Condition>
<Condition action="Include" operator="Or">
RunningProcesses, HasLoadedWindowsDlls
</Condition>
<Condition action="Include" operator="Only">
HasLoadedWindowsDlls
</Condition>
</Conditions>
</Filters>
</SeeBee>