This topic describes how to avoid the regex interpreter in command lines.
You can find hits on processes using a command line similar to this:
find /root /home -maxdepth 3 -name 'id_rsa*' -exec sh -c 'echo {}; cat {}' \;
If you are searching for the tokens /root or /home, you must escape the leading / character. Otherwise, the search service interprets these as a regex notation. The search service does not treat / as a whitespace punctuation character in *_cmdline fields, because it is a meaningful distinction in a command line.
| Works | process_name:find AND process_cmdline:(id_rsa\* AND (\/root OR \/home)) |
| Does not Work | process_name:find AND process_cmdline:(id_rsa\* AND (/root OR /home)) |
