[Rule Tuning] Whitespace Padding in Process Command Line

[MikePaquette]

https://www.elastic.co/guide/en/security/7.17/whitespace-padding-in-process-command-line.html

Entered on behalf of a User

Description

I have checked Elastic rule “Whitespace Padding in Process Command Line” and found that the regex there could be improved. Original rule looks like:

 process where event.type in ("start", "process_started") and
  process.command_line regex ".*[ ]{20,}.*" or
  /* this will match on 3 or more separate occurrences of 5+ contiguous whitespace characters */
  process.command_line regex ".*(.*[ ]{5,}[^ ]*){3,}.*"

And I now want to update the second regex to:

“^([^\s]*([^\s]*[\s]{5,}[^\s]*){3,}[^\s]+)(\s*)$”

However, if I do it, I get “line 5:30: token recognition error at: '"^([^\s'”

Example Data

here is the updated version of the rule that ignores trailing whitespaces.

process where event.type in ("start", "process_started") and 
process.command_line regex ".*[\\s]{20,}.*[^\\s]+(\\s*)$" or
/* this will match on 3 or more separate occurrences of 5+ contiguous whitespace characters */
process.command_line regex "^([^\\s]*([^\\s]*[\\s]{5,}[^\\s]*){3,}[^\\s]+)(\\s*)$"

[w0rk3r]

Hey @MikePaquette, this rule was deprecated in this PR.