From 6d7427fbdff4622c0d0218a76c64ec544f7453a5 Mon Sep 17 00:00:00 2001
From: zaicurity <59199225+zaicurity@users.noreply.github.com>
Date: Fri, 7 Nov 2025 11:53:16 +0100
Subject: [PATCH] Create KeepVMDisksByExtension.toml

Added a rule to look for common virtual machine disk files.
---
 .../VirtualMachines/KeepVMDisksByExtension.toml    | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Infrastructure/VirtualMachines/KeepVMDisksByExtension.toml

diff --git a/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Infrastructure/VirtualMachines/KeepVMDisksByExtension.toml b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Infrastructure/VirtualMachines/KeepVMDisksByExtension.toml
new file mode 100644
index 0000000..7c8384b
--- /dev/null
+++ b/Snaffler/SnaffRules/DefaultRules/FileRules/Keep/Infrastructure/VirtualMachines/KeepVMDisksByExtension.toml
@@ -0,0 +1,14 @@
+[[ClassifierRules]]
+EnumerationScope = "FileEnumeration"
+RuleName = "KeepVMDisksByExtension"
+MatchAction = "Snaffle"
+Description = "Virtual Machine Disks can contain sensitive data or credentials."
+MatchLocation = "FileExtension"
+WordListType = "Exact"
+MatchLength = 0
+WordList = [
+"\\.vmdk",
+"\\.vdi",
+"\\.vhd",
+"\\.vhdx"]
+Triage = "Red"