Regex is killing me

I’m trying to enrich a bunch of windows sysmon logs. The ultimate goal is to set a field on processes launched from an office application. I.e. if Word launches Powershell or an unknown process, I want to know about it.

I know Java regex seems a bit pickier than others, but here is where I’m at. Here are some samples from of sysmon logs.

explorer.exe
C:\WINDOWS\system32\WerFault.exe -u -p 137120 -s 4024
C:\WINDOWS\system32\WerFault.exe -pss -s 792 -p 137120 -ip 137120
"C:\Program Files (x86)\Adobe\Acrobat 2017\Acrobat\AcroCEF\AcroCEF.exe" --backgroundcolor=5066061
C:\Program Files (x86)\Adobe\Reader DC\AcroRd32.exe

I want to filter out noise from Adobe products (and note the occasional double-quote at the start).

(?i)(c:\\program files \(x86\)\\adobe).*$

This works in both https://regex101.com/r/BYUqJO/1/ and https://www.freeformatter.com/java-regex-tester.html#ad-output

However, the moment I try to use it in my pipeline, the editor cries about it. Not to mention, I can’t get an optional capture group around the (x86) working either. To me, it should be ( \(x86\))?

rule "Threat Intel - Sysmon Parent Process" 
when 
    (has_field("parent_command") OR has_field("parent_process")) AND
    (regex("(?i)(acrobat|winword|excel|lync|powerpnt|acrord32|notepad|calc)", to_string($message.parent_command)).matches == true OR 
    regex("(?i)(acrobat|winword|excel|lync|powerpnt|acrord32|notepad|calc)", to_string($message.parent_process)).matches == true) AND 
    (to_string($message.command) != "C:\\WINDOWS\\splwow64.exe 8192" AND
    regex("(?i)(c:\\program files \(x86\)\\adobe).*$",to_string($message.command)).matches != true) 
then
set_field("suspicious_parent",to_bool("true"));
end

Any pointers? Where have I bunged this up, aside from being a total rookie with regex.

I believe your optional x86 requires the space inside the paren section as follows:

( \(x86\))?

See: https://regexr.com/3f4vo

I have the space in tests

Your regex should work, but looks like it might be a bug in Graylog - It didn’t like the ( and x combo.

Try the below, seems to match your samples & requirements. Note I added an optional line which might be simpler for you, “starts_with”

rule "Threat Intel - Sysmon Parent Process" 
when 
    ( has_field("parent_command") OR 
      has_field("parent_process")
    ) AND (
        regex("(?i)(acrobat|winword|excel|lync|powerpnt|acrord32|notepad|calc)", to_string($message.parent_command)).matches == true OR 
        regex("(?i)(acrobat|winword|excel|lync|powerpnt|acrord32|notepad|calc)", to_string($message.parent_process)).matches == true
    ) AND (
        to_string($message.command) != "C:\\WINDOWS\\splwow64.exe 8192" AND
        starts_with(to_string($message.command), "c:\\program files (x86)\\adobe", true) AND
        regex("(?i)(c:\\program Files(\s(.*?))?)\\adobe",to_string($message.command)).matches != true 
    )
then
    set_field("suspicious_parent",to_bool("true"));
end

Thanks @lindonm
I’m trying to use your code and I’m getting ‘Invalid Expression’ error Line 3, Column 4 and I can’t find the typo myself.

did you double escape the escapes?

java Regex make it really hard sometimes, I personal try to check in https://www.freeformatter.com/java-regex-tester.html

But the double escape the escapes usually makes the trick

Can you give an example?

I can’t make the same sample work with either two or three escapes.

Actually the error was on the program files regex line sorry - Try this, i’m not sure if it will actually match for you though it does allow me to save it now (added double escapes as per Jan’s comment)

regex("(?i)(c:\\\\program Files(\\s(.*?))?)\\\\adobe",to_string($message.command)).matches != true 

That did it! Thanks @lindonm
Now that I know I need 4 slashes to replace one…
So, by that logic, do I need 8 slashes for a Windows UNC? \\Serverlocation\Folder\File.exe ? That seems pretty intense.

I can only assume so, try it out and let us know

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.