The cmdline fields (process_cmdline, childproc_cmdline, parent_cmdline, and fileless_scriptload_cmdline) support wildcarding of single terms just like any other field.
However, if the term being searched contains an escaped whitespace character or a special character that will be treated as whitespace during tokenization, there are special rules that must be followed for this to work properly.
For example, in this process command line:
C:\Program Files\Windows Defender\mpcmdrun.exe -wddisable
- Each of these terms becomes a token: "C:" "Program Files". However, to search for some of these tokens, you must escape some characters such as
:,\and-. - Any group of terms that cross a tokenization boundary such as
\or:is considered a phrase; for example: "C:\Program Files" or "Program Files\Windows Defender" or "mpcmdrun.exe -wddisable". - Using wildcards in phrases has limitations.
- You cannot use a leading wildcard.
- You must escape spaces in the cmdline value.
- You can use a trailing wildcard if it is preceded with a minimum of two alphanumeric characters.
- You cannot quote the wildcarded value. The * character gets interpreted literally as an ASCII character if it is surrounded by quotation "*" marks.
- Searches using wildcards in phrases tokenize on spaces and the characters \ ( ) [ ] { } ; " ' < > & | , =
- If any of those characters are in the command line, they are converted to spaces and that search becomes a phrase. These characters are still returned in API response data with the original characters.
- The characters
/and:can be converted to whitespace depending on where they are in the command line.Therefore, you don't have to include space-separated portions of the target command line (for example, other command-line characters) unless you need them to narrow the search results.
- You cannot search specifically for existence of those characters in a command line. For example, in
process_cmdline:\>\>, the>character is considered a separator and is converted to whitespace.
Example 1:
This is a process command line being searched:
process123.exe -parameterA somewordabcd -parameterB word1\word234
You can always use trailing wildcards for single terms with no restrictions, such as process_cmdline:someword*, for example. However, if your search contains whitespace or characters that are treated as whitespace, a trailing wildcard can only be specified after two non-whitespace or non-whitespace equivalent characters.
| Works | process_cmdline:word1\\word2* |
| Does not Work | process_cmdline:word1\\w* |
There is one exception to this rule. If this parser recognizes that you put a wildcard directly after a special character and if removing that special character produces a single term, it will fix your query to make it work properly.
| Works because the parser fixes this automatically | process_cmdline:word1\\* |
Example 2:
This is another process command line being searched:
process123.exe -version 4.1
To find all variants of the -version value such as 4.0 or 4.2, you can search for:
process_name:process123.exe AND process_cmdline:\-version\ 4.*
The following search query will fail due to not enough leading characters; at least two are required:
process_name:process123.exe AND process_cmdline:4*
This search query will also fail due to using a leading wildcard:
process_name:process123.exe AND process_cmdline:*\-version\ 4.*
