fixing regex

MHaggis · MHaggis · commit a87f5f24616b · 2025-02-14T08:10:38.000-07:00
Thank you @nterl0k
diff --git a/detections/endpoint/windows_sqlcmd_execution.yml b/detections/endpoint/windows_sqlcmd_execution.yml
@@ -27,76 +27,76 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
         has_parameters=if(match(process, "-[A-Za-z]"), 1, 0),
         has_query=case(
             match(process, "-[Qq]\\s+"), 1,
-            match(process_lower, "(?i)--query\\s+"), 1,
-            match(process_lower, "(?i)--initial-query\\s+"), 1,
+            match(process_lower, "--query\\s+"), 1,
+            match(process_lower, "--initial-query\\s+"), 1,
             true(), 0
         ),
         has_output=case(
             match(process, "-[oO]\\s+"), 1,
-            match(process_lower, "(?i)--output-file\\s+"), 1,
+            match(process_lower, "--output-file\\s+"), 1,
             true(), 0
         ),
         has_input=case(
             match(process, "-[iI]\\s+"), 1,
-            match(process_lower, "(?i)--input-file\\s+"), 1,
+            match(process_lower, "--input-file\\s+"), 1,
             true(), 0
         ),
         has_url_input=case(
             match(process, "-[iI]\\s+https?://"), 1,
-            match(process_lower, "(?i)--input-file\\s+https?://"), 1,
+            match(process_lower, "--input-file\\s+https?://"), 1,
             match(process, "-[iI]\\s+ftp://"), 1,
-            match(process_lower, "(?i)--input-file\\s+ftp://"), 1,
+            match(process_lower, "--input-file\\s+ftp://"), 1,
             true(), 0
         ),
         has_admin_conn=case(
             match(process, "-A"), 1,
-            match(process_lower, "(?i)--dedicated-admin-connection"), 1,
+            match(process_lower, "--dedicated-admin-connection"), 1,
             true(), 0
         ),
         has_suspicious_auth=case(
             match(process, "-U\\s+sa\\b"), 1,
-            match(process_lower, "(?i)--user-name\\s+sa\\b"), 1,
+            match(process_lower, "--user-name\\s+sa\\b"), 1,
             match(process, "-U\\s+admin\\b"), 1,
-            match(process_lower, "(?i)--user-name\\s+admin\\b"), 1,
+            match(process_lower, "--user-name\\s+admin\\b"), 1,
             match(process, "-E\\b"), 1,
-            match(process_lower, "(?i)--use-trusted-connection"), 1,
+            match(process_lower, "--use-trusted-connection"), 1,
             true(), 0
         ),
         has_local_server=case(
             match(process, "-S\\s+127\\.0\\.0\\.1"), 1,
-            match(process_lower, "(?i)--server\\s+127\\.0\\.0\\.1"), 1,
+            match(process_lower, "--server\\s+127\\.0\\.0\\.1"), 1,
             match(process, "-S\\s+localhost"), 1,
-            match(process_lower, "(?i)--server\\s+localhost"), 1,
+            match(process_lower, "--server\\s+localhost"), 1,
             true(), 0
         ),
         has_suspicious_output=case(
-            match(process_lower, "(?i)-o\\s+.*\\.(txt|csv|dat)"), 1,
-            match(process_lower, "(?i)--output-file\\s+.*\\.(txt|csv|dat)"), 1,
+            match(process_lower, "-o\\s+.*\\.(txt|csv|dat)"), 1,
+            match(process_lower, "--output-file\\s+.*\\.(txt|csv|dat)"), 1,
             true(), 0
         ),
         has_cert_bypass=case(
             match(process, "-C"), 1,
-            match(process_lower, "(?i)--trust-server-certificate"), 1,
+            match(process_lower, "--trust-server-certificate"), 1,
             true(), 0
         ),
         has_suspicious_query=case(
-            match(process_lower, "(?i)(xp_cmdshell|sp_oacreate|sp_execute_external|openrowset|bulk\\s+insert)"), 1,
-            match(process_lower, "(?i)(master\\.\\.\\.sysdatabases|msdb\\.\\.\\.backuphistory|sysadmin|securityadmin)"), 1,
-            match(process_lower, "(?i)(select.*from.*sys\\.|select.*password|dump\\s+database)"), 1,
-            match(process_lower, "(?i)(sp_addextendedproc|sp_makewebtask|sp_addsrvrolemember)"), 1,
-            match(process_lower, "(?i)(sp_configure.*show\\s+advanced|reconfigure|enable_xp_cmdshell)"), 1,
-            match(process_lower, "(?i)(exec.*master\\.dbo\\.|exec.*msdb\\.dbo\\.)"), 1,
-            match(process_lower, "(?i)(sp_password|sp_control_dbmasterkey_password|sp_dropextendedproc)"), 1,
-            match(process_lower, "(?i)(powershell|cmd\\.exe|rundll32|regsvr32|certutil)"), 1,
+            match(process_lower, "(xp_cmdshell|sp_oacreate|sp_execute_external|openrowset|bulk\\s+insert)"), 1,
+            match(process_lower, "(master\\.\\.\\.sysdatabases|msdb\\.\\.\\.backuphistory|sysadmin|securityadmin)"), 1,
+            match(process_lower, "(select.*from.*sys\\.|select.*password|dump\\s+database)"), 1,
+            match(process_lower, "(sp_addextendedproc|sp_makewebtask|sp_addsrvrolemember)"), 1,
+            match(process_lower, "(sp_configure.*show\\s+advanced|reconfigure|enable_xp_cmdshell)"), 1,
+            match(process_lower, "(exec.*master\\.dbo\\.|exec.*msdb\\.dbo\\.)"), 1,
+            match(process_lower, "(sp_password|sp_control_dbmasterkey_password|sp_dropextendedproc)"), 1,
+            match(process_lower, "(powershell|cmd\\.exe|rundll32|regsvr32|certutil)"), 1,
             true(), 0
         ),
         has_suspicious_path=case(
-            match(process_lower, "(?i)(\\\\temp\\\\|\\\\windows\\\\|\\\\public\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\)"), 1,
-            match(process_lower, "(?i)(\\\\desktop\\\\.*\\.(zip|rar|7z|tar|gz))"), 1,
-            match(process_lower, "(?i)(\\\\downloads\\\\.*\\.(dat|bin|tmp))"), 1,
-            match(process_lower, "(?i)(\\\\appdata\\\\local\\\\temp\\\\|\\\\windows\\\\tasks\\\\)"), 1,
-            match(process_lower, "(?i)(\\\\recycler\\\\|\\\\system32\\\\|\\\\system volume information\\\\)"), 1,
-            match(process_lower, "(?i)(\\.vbs|\\.ps1|\\.bat|\\.cmd|\\.exe)$"), 1,
+            match(process_lower, "(\\\\temp\\\\|\\\\windows\\\\|\\\\public\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\)"), 1,
+            match(process_lower, "(\\\\desktop\\\\.*\\.(zip|rar|7z|tar|gz))"), 1,
+            match(process_lower, "(\\\\downloads\\\\.*\\.(dat|bin|tmp))"), 1,
+            match(process_lower, "(\\\\appdata\\\\local\\\\temp\\\\|\\\\windows\\\\tasks\\\\)"), 1,
+            match(process_lower, "(\\\\recycler\\\\|\\\\system32\\\\|\\\\system volume information\\\\)"), 1,
+            match(process_lower, "(\\.vbs|\\.ps1|\\.bat|\\.cmd|\\.exe)$"), 1,
             true(), 0
         ),
         has_suspicious_combo=case(
@@ -106,17 +106,17 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
             true(), 0
         ),
         has_obfuscation=case(
-            match(process_lower, "(?i)(char\\(|convert\\(|cast\\(|declare\\s+@)"), 1,
-            match(process_lower, "(?i)(exec\\s+\\(|exec\\s+@|;\\s*exec)"), 1,
+            match(process_lower, "(char\\(|convert\\(|cast\\(|declare\\s+@)"), 1,
+            match(process_lower, "(exec\\s+\\(|exec\\s+@|;\\s*exec)"), 1,
             match(process, "\\^|\\%|\\+\\+|\\-\\-"), 1,
             len(process) > 500, 1,
             true(), 0
         ),
         has_data_exfil=case(
-            match(process_lower, "(?i)(for\\s+xml|for\\s+json)"), 1,
-            match(process_lower, "(?i)(bulk\\s+insert.*from)"), 1,
-            match(process_lower, "(?i)(bcp.*queryout|bcp.*out)"), 1,
-            match(process_lower, "(?i)(select.*into.*from|select.*into.*outfile)"), 1,
+            match(process_lower, "(for\\s+xml|for\\s+json)"), 1,
+            match(process_lower, "(bulk\\s+insert.*from)"), 1,
+            match(process_lower, "(bcp.*queryout|bcp.*out)"), 1,
+            match(process_lower, "(select.*into.*from|select.*into.*outfile)"), 1,
             true(), 0
         )
 
