InsightIDR evidence key-value syntax

Hello,

I’m hoping anyone is able to answer the following question for me.

I’ve noticed that in some cases there is a extra backslash added to the cmd_line process value.
For exampe:
“C:\WINDOWS\system32\cmd.exe”
“C:\WINDOWS\system32\cmd.exe”

In these cases the exception that I’ve created isn’t working.
Does anyone happen to know why in some cases an extra backslash is added to the cmd_line process value?

Hey @jfridrichs,

I’m looking at your examples and they appear to be the exact same, are you asking why some have:

“C:\WINDOWS\system32\cmd.exe”

Hello @SDavis

I see that I’ve made a mistake I mean.
I will give another example
In the cmd_line process value below I notice only one difference, that’s an extra backslash between every word. Because of this extra backslash my exception isn’t working.

"C:\WINDOWS\system32\cmd.exe /c C:\Users\xxxx\AppData\Local\Programs\Spyder\pkgs\spyder\plugins\activate.bat

"C:\\WINDOWS\\system32\\cmd.exe /c C:\\Users\\xxxx\\AppData\\Local\\Programs\\Spyder\\pkgs\\spyder\\plugins\\activate.bat

Do you have any idea why there is an extra backslash?

Hey @jfridrichs,

Sorry for the delay, from what I’ve been told, IDR adds a \ to the value (in this case your command line) and when the log comes in with the \ already there, IDR will escape that backslash with another backslash…funky I know.

If you are using regex in your query, you would need to escape each \ with a , so it would look like this:

C:\\Users\\xxxx\\AppData\\Local\\yadda yadda

If you are not using regex and simply using LEQL, then having the quotes around the command line should work. Are you using regex or just LEQL?

Hello @SDavis,

I’m using LEQL. Does this also apply with exceptions?
Let’s say you have an exception created for the application Chrome.exe
process.cmdline - contains - C:\users\xxxx\Appdata\Roaming\Google\Chrome.exe

A new investigation is reported and you see in the evidence that the process.cmdline is: C:\\users\\xxxx\\Appdata\\Roaming\\Google\\Chrome.exe

The only difference is that extra backslash, but because of that the exception won’t work (in my case).

Can you tackle this issue by adding the quotes around the process.cmdline value?

Hey @jfridrichs,

Ah I’m tracking, and yes I believe it is the same for exceptions, I would highly recommend using quotes around a cmdline string like that, and if it were me, I would add two exceptions, one with single \ and the other for double .