Query Malicious file types from any directory not including the default OS and Install directories
AID2201220858.YAML
#####aid_begin
#description: file query - query malicious file types from any directory not including the default os and install directories (%systemdrive%\windows, %systemdrive%\program files*)
#id: aid2201220858
#processtype: query
#category: filesandfolders
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
# windows 7
# windows 8.*
# windows 10
# windows 11
# windows server 2008 r2
# windows server 2012
# windows server 2012 r2
# windows server 2016
# windows server 2019
#compatibleengine: |-
# powershell 2
# powershell 3
# powershell 4
# powershell 5.*
# powershell 7.*
#bgcommandlist: |-
# get-bgchilditemlist
#notes: |-
# query malicious file types from any directory not including the default os and install directories (%systemdrive%\windows, %systemdrive%\program files*)
#####aid_end
commands:
- Get-BGChildItemList -SearchPath $(Get-ChildItem -Path "$env:SystemDrive\" | Where-Object -Property FullName -Match $("^(?!{0}\\Windows|{0}\\Program Files).*$" -f $Env:SystemDrive)).FullName -Pattern "\.exe$|\.dll$|\.scr$|\.com$|\.bat$|\.ps1$|\.psm1$|\.psd1$|\.vbs$|\.vbe$|\.js$|\.wsh$|\.hta$|\.py$|\.ini$" -Recurse