solidify drive letter detection in command line, scope file.status field to CreateFile events

Author: rabbitstack

pkg/filter/accessor_windows.go

@@ -614,6 +614,9 @@ func (l *fileAccessor) get(f fields.Field, kevt *kevent.Kevent) (kparams.Value,
 		}
 		return attrs, nil
 	case fields.FileStatus:
+		if kevt.Type != ktypes.CreateFile {
+			return nil, nil
+		}
 		return kevt.Kparams.GetString(kparams.NTStatus)
 	}
 	return nil, nil

pkg/kstream/interceptors/ps_windows.go

@@ -41,6 +41,9 @@ import (
 // systemRootRegexp is the regular expression for detecting path with unexpanded SystemRoot environment variable
 var systemRootRegexp = regexp.MustCompile(`%SystemRoot%|^\\SystemRoot|%systemroot%`)
 
+// driveRegexp is used for determining if the command line start with a valid drive letter based path
+var driveRegexp = regexp.MustCompile(`^[a-zA-Z]:\\`)
+
 // procYaraScans stores the total count of yara process scans
 var procYaraScans = expvar.NewInt("yara.proc.scans")
 
@@ -87,8 +90,9 @@ func (ps psInterceptor) Intercept(kevt *kevent.Kevent) (*kevent.Kevent, bool, er
 		if systemRootRegexp.MatchString(cmdline) {
 			cmdline = systemRootRegexp.ReplaceAllString(cmdline, os.Getenv("SystemRoot"))
 		}
-		// some system processes are reported without the path in command line
-		if strings.Index(cmdline, `:\\`) != 1 {
+		// some system processes are reported without the path in the command line,
+		// but we can expand the path from the SystemRoot environment variable
+		if !driveRegexp.MatchString(cmdline) {
 			proc, _ := kevt.Kparams.GetString(kparams.ProcessName)
 			_, ok := sysProcs[proc]
 			if ok {