Trouble with creating a reference list

Forum|Forum|1 year ago
November 11, 2024
2 replies
4 views

+4

GSCoNist-
Bronze 1

Hello, I am currently creating a Chronicle rule that checks specific registry key values and was wondering if I reference a list am I able to put the entire file path? For example I have the following file path that is returned in the events:
c:\\program files (x86)\\cisco\\cisco anyconnect secure mobility client\\vpnagent.exe

Right now I am using the RegEx syntax for the List and have the following:

vpnagent.exe // From c:\\program files (x86)\\cisco\\cisco anyconnect secure mobility client\\vpnagent.exe

Now it does work but I really would like to reference the entire path and not just the name of the exe file. Any ideas?

+9

David-French
Staff
Forum|Forum|1 year ago
November 11, 2024

Can you try the following regex expression that escapes characters like backslash and parentheses?

c:\\\\program files \\(x86\\)\\\\cisco\\\\cisco anyconnect secure mobility client\\\\vpnagent\\.exe

Like

+22

jstoner
Staff
Forum|Forum|1 year ago
November 12, 2024

A little bit of testing is wise to make sure you handle all potential escape characters as @David-French mentions above. I would also suggest adding a strings.to_lower (or strings.to_upper) against the field or variable being compared.

For instance if your list is like what is above, the criteria might look like this:

strings.to_lower($registry.target.process.file_path) IN %reglist

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded