ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: opt / bitninja-waf3 / coreruleset / regex-assembly

##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##! Word list for rule 932370 (RCE Windows command injection part 1/2)
##!
##! The list comes from the project LOLBAS. You can get it using the following one-liner:
##! `curl -s -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/LOLBAS-Project/LOLBAS/git/trees/master\?recursive\=1 | jq -r '.tree[].path ' | grep ^yml/ | cut -f3 -d/ | cut -f1 -d. | tr 'A-Z' 'a-z' | sort | uniq`
##! To prevent some FP for a command, you can require command parameters
##! after a command. Only do this if the command regularly causes FP and if
##! allowing the bare command (without parameters) is not too dangerous.
##! (Note: due to \b following the regexp, a word boundary is also required
##! further on, so some letter/number is needed for a match). Example:
##!
##!   diff@

##!+ i

##! extension/switches suffix
##! cmd.com, cmd.exe, etc.
##!$ (?:\.[\"\^]*\w+)?
##! cmd/h
##!$ \b

##! starting tokens prefix
##!> assemble
  ##!> include windows-commands-prefix

##!> cmdline windows

acccheckconsole
    adplus
    advpack
    agentexecutor
    appinstaller
    appvlp
    aspnet_compiler
    at@
    atbroker
    bash
    bginfo
    bitsadmin
    cdb
    certoc
    certreq
    certutil
    cl_invocation
    cl_loadassembly
    cl_mutexverifiers
    cmd
    cmdkey
    cmdl32
    cmstp
    comsvcs
    configsecuritypolicy
    conhost
    control
    coregen
    createdump
    csc
    cscript
    csi
    customshellhost
    datasvcutil
    defaultpack
    desk
    desktopimgdownldr
    devicecredentialdeployment
    devtoolslauncher
    dfshim
    dfsvc
    diantz
    diskshadow
    dnscmd
    dnx
    dotnet
    dump64
    dxcap
    esentutl
    eventvwr
    excel
    expand
    explorer
    extexport
    extrac32
    findstr
    finger
    fltmc
    forfiles
    fsi
    fsianycpu
    fsutil
    ftp
    gfxdownloadwrapper
    gpscript
    hh
    ie4uinit
    ieadvpack
    ieexec
    ieframe
    ilasm
    imewdbld
    infdefaultinstall
    installutil
    jsc
    launch-vsdevshell
    ldifde
    makecab
    manage-bde
    mavinject
    mftrace
    microsoft
    mmc
    mpcmdrun
    msbuild
    msconfig
    msdeploy
    msdt
    mshta
    mshtml
    msiexec
    msohtmed
    mspub
    msxsl
    netsh
    ntdsutil
    odbcconf
    offlinescannershell
    onedrivestandaloneupdater
    openconsole
    pcalua
    pcwrun
    pcwutl
    pester
    pktmon
    pnputil
    powerpnt
    presentationhost
    print
    printbrm
    procdump
    protocolhandler
    psr
    pubprn
    rasautou
    rcsi
    rdrleakdiag
    reg
    regasm
    regedit
    regini
    register-cimprovider
    regsvcs
    regsvr32
    remote
    replace
    rpcping
    rundll32
    runexehelper
    runonce
    runscripthelper
    sc@
    schtasks
    scriptrunner
    setres
    settingsynchost
    setupapi
    shdocvw
    shell32
    sqldumper
    sqlps
    sqltoolsps
    squirrel
    ssh
    stordiag
    syncappvpublishingserver
    syssetup
    te@
    tracker
    ttdinject
    tttracer
    unregmp2
    update
    url
    utilityfunctions
    vbc
    verclsid
    visualuiaverifynative
    vsiisexelauncher
    vsjitdebugger
    wab
    wfc
    winget
    winrm
    winword
    wlrmdr
    wmic
    workfolders
    wscript
    wsl
    wsreset
    wt@
    wuauclt
    xwizard
    zipfldr
  ##!<
##!<

[-] 920220-chain1.ra [edit]
[-] 942370.ra [edit]
[-] 922110-chain1.ra [edit]
[-] 932237.ra [edit]
[-] 942280.ra [edit]
[-] 942470.ra [edit]
[-] 932220.ra [edit]
[-] 933131.ra [edit]
[-] 942200.ra [edit]
[-] 932320.ra [edit]
[-] 942520.ra [edit]
[-] 942290.ra [edit]
[-] 932301.ra [edit]
[-] 932260.ra [edit]
[-] toolchain.yaml [edit]
[-] 931131.ra [edit]
[-] 942500.ra [edit]
[-] 920100.ra [edit]
[-] 941220.ra [edit]
[-] 942480.ra [edit]
[-] 921421.ra [edit]
[-] 932232.ra [edit]
[+] ..
[-] 932175.ra [edit]
[-] 934101.ra [edit]
[-] 942410.ra [edit]
[-] 932236.ra [edit]
[-] 920120.ra [edit]
[-] 933160.ra [edit]
[-] 920260.ra [edit]
[-] 920221.ra [edit]
[-] 942390.ra [edit]
[-] 941390.ra [edit]
[-] 942521.ra [edit]
[-] 934170.ra [edit]
[-] 932205-chain1.ra [edit]
[-] 942190.ra [edit]
[-] 942350.ra [edit]
[-] 942380.ra [edit]
[-] 932140.ra [edit]
[-] 944150.ra [edit]
[-] 951240.ra [edit]
[-] 942180.ra [edit]
[-] 932131.ra [edit]
[-] 932206.ra [edit]
[-] 932235.ra [edit]
[-] 944152.ra [edit]
[-] 932210.ra [edit]
[-] 942550.ra [edit]
[-] 933200.ra [edit]
[-] 920521.ra [edit]
[-] 942362.ra [edit]
[-] 951230.ra [edit]
[-] 932130.ra [edit]
[-] 932321.ra [edit]
[-] 933211.ra [edit]
[-] 932238.ra [edit]
[-] 932200.ra [edit]
[-] 932230.ra [edit]
[-] 934120.ra [edit]
[-] 932205.ra [edit]
[-] 932310.ra [edit]
[-] 933210.ra [edit]
[-] 932311.ra [edit]
[-] 934150.ra [edit]
[-] 942150.ra [edit]
[-] 944151.ra [edit]
[-] 941210.ra [edit]
[-] 942120.ra [edit]
[-] 942240.ra [edit]
[-] 941130.ra [edit]
[-] 942230.ra [edit]
[-] 932239.ra [edit]
[-] 934100.ra [edit]
[-] 942152.ra [edit]
[-] 933161.ra [edit]
[-] 934160.ra [edit]
[-] 942260.ra [edit]
[-] 942400.ra [edit]
[+] include
[-] 942330.ra [edit]
[-] 942140.ra [edit]
[-] 932380.ra [edit]
[-] 941160.ra [edit]
[-] 920600.ra [edit]
[-] 932231.ra [edit]
[-] 942321.ra [edit]
[-] 942360.ra [edit]
[-] 942131.ra [edit]
[-] 942320.ra [edit]
[-] 934140.ra [edit]
[+] exclude
[-] 931130.ra [edit]
[-] 942440.ra [edit]
[-] 942340.ra [edit]
[-] 942310.ra [edit]
[-] 932125.ra [edit]
[-] 932240.ra [edit]
[-] 921422.ra [edit]
[-] 942170.ra [edit]
[-] 932370.ra [edit]
[-] 942440-chain1.ra [edit]
[-] 930100.ra [edit]
[-] 942210.ra [edit]
[-] 942540.ra [edit]
[-] 932300.ra [edit]
[-] 942130.ra [edit]
[-] 942300.ra [edit]
[-] 932250.ra [edit]
[-] 942560.ra [edit]
[-] 942151.ra [edit]