Fix broken regex alternation in detections

srkyn · srkyn · commit a224fc32a36d · 2026-06-04T09:28:49.000-04:00
diff --git a/detections/application/m365_copilot_impersonation_jailbreak_attack.yml b/detections/application/m365_copilot_impersonation_jailbreak_attack.yml
@@ -1,8 +1,8 @@
 name: M365 Copilot Impersonation Jailbreak Attack
 id: cc26aba8-7f4a-4078-b91a-052d6a53cb13
-version: 5
+version: 6
 creation_date: '2025-10-13'
-modification_date: '2026-05-13'
+modification_date: '2026-06-04'
 author: Rod Soto
 status: experimental
 type: TTP
@@ -13,15 +13,7 @@ search: |-
     `m365_exported_ediscovery_prompt_logs`
       | search Subject_Title="*Pretend you are*" OR Subject_Title="*act as*" OR Subject_Title="*you are now*" OR Subject_Title="*amoral*" OR Subject_Title="*being*" OR Subject_Title="*roleplay as*" OR Subject_Title="*imagine you are*" OR Subject_Title="*behave like*"
       | eval user = Sender
-      | eval impersonation_type=case(match(Subject_Title, "(?i)pretend you are.*AI"), "AI_Impersonation", match(Subject_Title, "(?i)(act as
-      | roleplay as).*AI"), "AI_Roleplay", match(Subject_Title, "(?i)amoral.*AI"), "Amoral_AI", match(Subject_Title, "(?i)transcendent being"), "Fictional_Entity", match(Subject_Title, "(?i)(act as
-      | pretend you are).*(entities
-      | multiple)"), "Multi_Entity", match(Subject_Title, "(?i)(imagine you are
-      | behave like).*AI"), "AI_Behavioral_Change", match(Subject_Title, "(?i)you are now.*AI"), "AI_Identity_Override", match(Subject_Title, "(?i)(evil
-      | malicious
-      | harmful).*AI"), "Malicious_AI_Persona", match(Subject_Title, "(?i)(unrestricted
-      | unlimited
-      | uncensored).*AI"), "Unrestricted_AI_Persona", 1=1, "Generic_Roleplay")
+      | eval impersonation_type=case(match(Subject_Title, "(?i)pretend you are.*AI"), "AI_Impersonation", match(Subject_Title, "(?i)(act as|roleplay as).*AI"), "AI_Roleplay", match(Subject_Title, "(?i)amoral.*AI"), "Amoral_AI", match(Subject_Title, "(?i)transcendent being"), "Fictional_Entity", match(Subject_Title, "(?i)(act as|pretend you are).*(entities|multiple)"), "Multi_Entity", match(Subject_Title, "(?i)(imagine you are|behave like).*AI"), "AI_Behavioral_Change", match(Subject_Title, "(?i)you are now.*AI"), "AI_Identity_Override", match(Subject_Title, "(?i)(evil|malicious|harmful).*AI"), "Malicious_AI_Persona", match(Subject_Title, "(?i)(unrestricted|unlimited|uncensored).*AI"), "Unrestricted_AI_Persona", 1=1, "Generic_Roleplay")
       | table _time, user, Subject_Title, impersonation_type, Workload
       | sort -_time
       | `m365_copilot_impersonation_jailbreak_attack_filter`
diff --git a/detections/endpoint/linux_proxy_socks_curl.yml b/detections/endpoint/linux_proxy_socks_curl.yml
@@ -1,8 +1,8 @@
 name: Linux Proxy Socks Curl
 id: bd596c22-ad1e-44fc-b242-817253ce8b08
-version: 13
+version: 14
 creation_date: '2022-07-29'
-modification_date: '2026-05-13'
+modification_date: '2026-06-04'
 author: Michael Haag, Splunk, 0xC0FFEEEE, Github Community
 status: production
 type: TTP
@@ -22,8 +22,7 @@ search: |-
     | `drop_dm_object_name(Processes)`
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
-    | where match(process, "-x\s") OR match(process, "(?i)socks\d\w?:\/\/
-    | --(pre)?proxy")
+    | where match(process, "-x\s") OR match(process, "(?i)(socks\d\w?:\/\/|--(pre)?proxy)")
     | `linux_proxy_socks_curl_filter`
 how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
 known_false_positives: False positives may be present based on proxy usage internally. Filter as needed.
diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml
@@ -1,8 +1,8 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
-version: 25
+version: 26
 creation_date: '2021-08-19'
-modification_date: '2026-05-13'
+modification_date: '2026-06-04'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -12,180 +12,22 @@ data_source:
 search: |-
     `powershell` EventCode=4104
       | eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), "4", 0)
-      | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}
-      | [A-Za-z0-9+\/]{3}=
-      | [A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0)
-      | eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration
-      | Add-Persistence
-      | Add-RegBackdoor
-      | Add-ScrnSaveBackdoor
-      | Check-VM
-      | Do-Exfiltration
-      | Enabled-DuplicateToken
-      | Exploit-Jboss
-      | Find-Fruit
-      | Find-GPOLocation
-      | Find-TrustedDocuments
-      | Get-ApplicationHost
-      | Get-ChromeDump
-      | Get-ClipboardContents
-      | Get-FoxDump
-      | Get-GPPPassword
-      | Get-IndexedItem
-      | Get-Keystrokes
-      | LSASecret
-      | Get-PassHash
-      | Get-RegAlwaysInstallElevated
-      | Get-RegAutoLogon
-      | Get-RickAstley
-      | Get-Screenshot
-      | Get-SecurityPackages
-      | Get-ServiceFilePermission
-      | Get-ServicePermission
-      | Get-ServiceUnquoted
-      | Get-SiteListPassword
-      | Get-System
-      | Get-TimedScreenshot
-      | Get-UnattendedInstallFile
-      | Get-Unconstrained
-      | Get-VaultCredential
-      | Get-VulnAutoRun
-      | Get-VulnSchTask
-      | Gupt-Backdoor
-      | HTTP-Login
-      | Install-SSP
-      | Install-ServiceBinary
-      | Invoke-ACLScanner
-      | Invoke-ADSBackdoor
-      | Invoke-ARPScan
-      | Invoke-AllChecks
-      | Invoke-BackdoorLNK
-      | Invoke-BypassUAC
-      | Invoke-CredentialInjection
-      | Invoke-DCSync
-      | Invoke-DllInjection
-      | Invoke-DowngradeAccount
-      | Invoke-EgressCheck
-      | Invoke-Inveigh
-      | Invoke-InveighRelay
-      | Invoke-Mimikittenz
-      | Invoke-NetRipper
-      | Invoke-NinjaCopy
-      | Invoke-PSInject
-      | Invoke-Paranoia
-      | Invoke-PortScan
-      | Invoke-PoshRat
-      | Invoke-PostExfil
-      | Invoke-PowerDump
-      | Invoke-PowerShellTCP
-      | Invoke-PsExec
-      | Invoke-PsUaCme
-      | Invoke-ReflectivePEInjection
-      | Invoke-ReverseDNSLookup
-      | Invoke-RunAs
-      | Invoke-SMBScanner
-      | Invoke-SSHCommand
-      | Invoke-Service
-      | Invoke-Shellcode
-      | Invoke-Tater
-      | Invoke-ThunderStruck
-      | Invoke-Token
-      | Invoke-UserHunter
-      | Invoke-VoiceTroll
-      | Invoke-WScriptBypassUAC
-      | Invoke-WinEnum
-      | MailRaider
-      | New-HoneyHash
-      | Out-Minidump
-      | Port-Scan
-      | PowerBreach
-      | PowerUp
-      | PowerView
-      | Remove-Update
-      | Set-MacAttribute
-      | Set-Wallpaper
-      | Show-TargetScreen
-      | Start-CaptureServer
-      | VolumeShadowCopyTools
-      | NEEEEWWW
-      | (Computer
-      | User)Property
-      | CachedRDPConnection
-      | get-net\S+
-      | invoke-\S+hunter
-      | Install-Service
-      | get-\S+(credent
-      | password)
-      | remoteps
-      | Kerberos.*(policy
-      | ticket)
-      | netfirewall
-      | Uninstall-Windows
-      | Verb\s+Runas
-      | AmsiBypass
-      | nishang
-      | Invoke-Interceptor
-      | EXEonRemote
-      | NetworkRelay
-      | PowerShelludp
-      | PowerShellIcmp
-      | CreateShortcut
-      | copy-vss
-      | invoke-dll
-      | invoke-mass
-      | out-shortcut
-      | Invoke-ShellCommand"),1,0)
+      | eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0)
+      | eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut|Invoke-ShellCommand"),1,0)
       | eval base64 = if(match(lower(ScriptBlockText),"frombase64"), "4", 0)
       | eval empire=if(match(lower(ScriptBlockText),"system.net.webclient") AND match(lower(ScriptBlockText), "frombase64string") ,5,0)
       | eval mimikatz=if(match(lower(ScriptBlockText),"mimikatz") OR match(lower(ScriptBlockText), "-dumpcr") OR match(lower(ScriptBlockText), "SEKURLSA::Pth") OR match(lower(ScriptBlockText), "kerberos::ptt") OR match(lower(ScriptBlockText), "kerberos::golden") ,5,0)
-      | eval iex=if(match(ScriptBlockText, "(?i)iex
-      | invoke-expression"),2,0)
-      | eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client
-      | request)") OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file
-      | string)") OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") OR match(lower(ScriptBlockText),"xmlhttp"),5,0)
+      | eval iex=if(match(ScriptBlockText, "(?i)iex|invoke-expression"),2,0)
+      | eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client|request)") OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file|string)") OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") OR match(lower(ScriptBlockText),"xmlhttp"),5,0)
       | eval get = if(match(lower(ScriptBlockText),"get-"), "1", 0)
       | eval rundll32 = if(match(lower(ScriptBlockText),"rundll32"), "4", 0)
-      | eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer
-      | mimik
-      | metasp
-      | AssemblyBuilderAccess
-      | Reflection\.Assembly
-      | shellcode
-      | injection
-      | cnvert
-      | shell\.application
-      | start-process
-      | Rc4ByteStream
-      | System\.Security\.Cryptography
-      | lsass\.exe
-      | localadmin
-      | LastLoggedOn
-      | hijack
-      | BackupPrivilege
-      | ngrok
-      | comsvcs
-      | backdoor
-      | brute.?force
-      | Port.?Scan
-      | Exfiltration
-      | exploit
-      | DisableRealtimeMonitoring
-      | beacon)"),1,0)
+      | eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\.Assembly|shellcode|injection|cnvert|shell\.application|start-process|Rc4ByteStream|System\.Security\.Cryptography|lsass\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon)"),1,0)
       | eval syswow64 = if(match(lower(ScriptBlockText),"syswow64"), "3", 0)
       | eval httplocal = if(match(lower(ScriptBlockText),"http://127.0.0.1"), "4", 0)
       | eval reflection = if(match(lower(ScriptBlockText),"reflection"), "1", 0)
-      | eval invokewmi=if(match(lower(ScriptBlockText), "(?i)(wmiobject
-      | WMIMethod
-      | RemoteWMI
-      | PowerShellWmi
-      | wmicommand)"),5,0)
+      | eval invokewmi=if(match(lower(ScriptBlockText), "(?i)(wmiobject|WMIMethod|RemoteWMI|PowerShellWmi|wmicommand)"),5,0)
       | eval downgrade=if(match(ScriptBlockText, "(?i)([-]ve*r*s*i*o*n*\s+2)") OR match(lower(ScriptBlockText),"powershell -version"),3,0)
-      | eval compressed=if(match(ScriptBlockText, "(?i)GZipStream
-      | ::Decompress
-      | IO.Compression
-      | write-zip
-      | (expand
-      | compress)-Archive"),5,0)
+      | eval compressed=if(match(ScriptBlockText, "(?i)GZipStream|::Decompress|IO.Compression|write-zip|(expand|compress)-Archive"),5,0)
       | eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0)
       | addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get
       | stats values(Score)
diff --git a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml
@@ -1,8 +1,8 @@
 name: PowerShell - Connect To Internet With Hidden Window
 id: ee18ed37-0802-4268-9435-b3b91aaa18db
-version: 16
+version: 17
 creation_date: '2020-04-29'
-modification_date: '2026-05-13'
+modification_date: '2026-06-04'
 author: David Dorsey, Michael Haag Splunk
 status: production
 type: Hunting
@@ -24,11 +24,7 @@ search: |-
     | `drop_dm_object_name(Processes)`
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
-    | where match(process,"(?i)[\-
-    | \/
-    | –
-    | —
-    | ―]w(in*d*o*w*s*t*y*l*e*)*\s+[^-]")
+    | where match(process,"(?i)[\-\/–—―]w(in*d*o*w*s*t*y*l*e*)*\s+[^-]")
     | `powershell___connect_to_internet_with_hidden_window_filter`
 how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
 known_false_positives: Legitimate process can have this combination of command-line options, but it's not common.
diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml
@@ -1,8 +1,8 @@
 name: Regsvr32 Silent and Install Param Dll Loading
 id: f421c250-24e7-11ec-bc43-acde48001122
-version: 14
+version: 15
 creation_date: '2021-10-04'
-modification_date: '2026-05-13'
+modification_date: '2026-06-04'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -26,8 +26,7 @@ search: |-
     | `drop_dm_object_name(Processes)`
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
-    | where match(process,"(?i)[\-
-    | \/][Ss]{1}")
+    | where match(process,"(?i)[\-\/][Ss]{1}")
     | `regsvr32_silent_and_install_param_dll_loading_filter`
 how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
 known_false_positives: |
diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml
@@ -1,8 +1,8 @@
 name: Regsvr32 with Known Silent Switch Cmdline
 id: c9ef7dc4-eeaf-11eb-b2b6-acde48001122
-version: 14
+version: 15
 creation_date: '2021-07-29'
-modification_date: '2026-05-13'
+modification_date: '2026-06-04'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -24,8 +24,7 @@ search: |-
     | `drop_dm_object_name(Processes)`
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
-    | where match(process,"(?i)[\-
-    | \/][Ss]{1}")
+    | where match(process,"(?i)[\-\/][Ss]{1}")
     | `regsvr32_with_known_silent_switch_cmdline_filter`
 how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
 known_false_positives: minimal. but network operator can use this application to load dll.
