refactor: remove unneeded escapes(in |re block)

[fukusuket]

Thank you for maintaining Sigma :)
I noticed some yml |re blocks have unneeded escapes like bellow. So I removed unneeded escapes in this PR.

• \/c
• \/r
• \"
• \-

Besides in rare cases, /, - and " should not be escaped and will actually cause parsing errors on some regex libraries when there are unneeded escapes(ref: rust-lang/regex#501 (comment)).

I have also confirmed that the regex which removed unneeded escapes didn't cause compilation errors in the following programming languages.

• Java (v17.0.4.1)
• Node.js (v18.12.1)
• Golang (v1.19)
• PHP (v8.1.111)
• .NET (v7.0.100)
• Rust (v1.65.0)
• Perl (v5.30.3)
• Python (v3.11)

I would appreciate it if you could review🙏

[fukusuket]

I'm sorry, I noticed that the - also has unnecessary escaping, so I'll fix it in addition.

[fukusuket]

I've also finished removing - unneeded escapes. I would appreciate it if you could review.

[frack113]

modified: need to be updated thanks

[fukusuket]

Thanks for the quick review :) I fixed modified:

[OhHappyDagger]

I'm seeing a large amount of false positives in my logs from these rules since this change. I'm not smart enough to know if it's an issue with the commits or with my log management tool Security Onion though. Thoughts?

[fukusuket]

@OhHappyDagger
Thanks for your comment. Could you provide the sample logs and the rule that is causing the false positives?

[fukusuket]

The rules that fixed the regex in this PR are related to the issue #1009 .

Will this help with your research?

[OhHappyDagger]

Sure. Here is an example of an event that hit on 73e67340-0d25-11eb-adc1-0242ac120002 in Security Onion. After brushing up on regex a bit, it seems like your rules should be fine. I'm pretty confused on why these are matching. I'm thinking it's either an issue with Security Onion or my install, not with these rules. Thanks for the referenced issue, I'll keep digging.

• <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
• <System>
  <Provider Name="Microsoft-Windows-Sysmon" Guid="XXXXXXXX-c22a-43e0-bf4c-06f5698ffbd9}" />
  <EventID>10</EventID>
  <Version>3</Version>
  <Level>4</Level>
  <Task>10</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8000000000000000</Keywords>
  <TimeCreated SystemTime="2022-12-05T21:28:47.4958726Z" />
  <EventRecordID>#######</EventRecordID>
  <Correlation />
  <Execution ProcessID="10084" ThreadID="13072" />
  <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
  <Computer>computer.domain.local</Computer>
  <Security UserID="S-1-5-18" />
  </System>
• <EventData>
  <Data Name="RuleName">-</Data>
  <Data Name="UtcTime">2022-12-05 21:28:47.488</Data>
  <Data Name="SourceProcessGUID">{XXXXXXXX-939f-6359-2700-000000003000}</Data>
  <Data Name="SourceProcessId">3584</Data>
  <Data Name="SourceThreadId">17732</Data>
  <Data Name="SourceImage">C:\Windows\system32\svchost.exe</Data>
  <Data Name="TargetProcessGUID">{XXXXXXXX-93b1-6359-6200-000000003000}</Data>
  <Data Name="TargetProcessId">6148</Data>
  <Data Name="TargetImage">C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe</Data>
  <Data Name="GrantedAccess">0x1fffff</Data>
  <Data Name="CallTrace">C:\Windows\SYSTEM32\ntdll.dll+a0cb4|C:\Windows\System32\KERNELBASE.dll+1668e|C:\Windows\system32\wbem\wmiprvsd.dll+4feeb|C:\Windows\system32\wbem\wmiprvsd.dll+54705|C:\Windows\system32\wbem\wmiprvsd.dll+4f5ae|C:\Windows\system32\wbem\wmiprvsd.dll+5068e|C:\Windows\system32\wbem\wmiprvsd.dll+844dc|C:\Windows\system32\wbem\wbemcore.dll+1a1a9|C:\Windows\system32\wbem\wbemcore.dll+1ab6d|C:\Windows\system32\wbem\wbemcore.dll+286d3|C:\Windows\system32\wbem\wbemcore.dll+28659|C:\Windows\system32\wbem\wbemcore.dll+2855a|C:\Windows\system32\wbem\wbemcore.dll+28d59|C:\Windows\system32\wbem\wbemcore.dll+289ae|C:\Windows\system32\wbem\wbemcore.dll+286d3|C:\Windows\system32\wbem\wbemcore.dll+28659|C:\Windows\system32\wbem\wbemcore.dll+2855a|C:\Windows\system32\wbem\wbemcore.dll+7dd3|C:\Windows\system32\wbem\wbemcore.dll+80d9|C:\Windows\System32\KERNEL32.DLL+17974|C:\Windows\SYSTEM32\ntdll.dll+5a371</Data>
  <Data Name="SourceUser">NT AUTHORITY\SYSTEM</Data>
  <Data Name="TargetUser">NT AUTHORITY\NETWORK SERVICE</Data>
  </EventData>
  </Event>

[nasbench]

Hi,

Thanks for commenting on this. From the looks of it. The event you posted is a ProcessAccess event and has nothing to do with the rule id you linked as the rules from this PR are related to PowerShell.

I suggest we take this discussion to the issues section. So please can you open an Issue here? Since this could be a false positive with another rule and I would love to know more about it.

Regards.