From f244bebfb01898fe7df9a8533acb8a3fe0f5ff56 Mon Sep 17 00:00:00 2001
From: Kevin Hardy-Cooper <kevin.hardy-cooper@cyber.gc.ca>
Date: Thu, 2 Sep 2021 09:14:54 -0400
Subject: [PATCH] Adding strong indicators for vbs

---
 assemblyline/common/identify.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/assemblyline/common/identify.py b/assemblyline/common/identify.py
index 4b374037d..15699704a 100644
--- a/assemblyline/common/identify.py
+++ b/assemblyline/common/identify.py
@@ -30,6 +30,8 @@
         re.compile(rb'(^|\n)ExecuteGlobal'),
         re.compile(rb'(^|\n)REM[ \t]+'),
         re.compile(rb'(ubound|lbound)\('),
+        re.compile(rb'CreateObject\('),
+        re.compile(rb'Set[ \t]*\w+[ \t]*=[ \t]*'),
     ],
     'code/javascript': [
         re.compile(rb'function([ \t]*|[ \t]+[\w]+[ \t]*)\([\w \t,]*\)[ \t]*{'),