Skip to content

Latest commit

 

History

History
41 lines (36 loc) · 6.27 KB

README.md

File metadata and controls

41 lines (36 loc) · 6.27 KB

DFIRRegex

A repository to centralize some of the regular expressions I've found useful over the course of my DFIR career. I get sick of hunting down regular expressions all the time so this is my attempt to centralize it not only for myself, but also for others.

Regex101 links were included for the purpose of showing the expected hits when using the regular expressions prior to using them for your own purposes.

Useful Regular Expressions

Title Regex Regex101 Links/Source
Age (Under 18) ^(0?[1-9]{1}|[1]{1}[0-7]{1})(\s|[-])?(y(\s?)o|yr([sz]?)|year([sz]?)((\s|[-])?(old)?)|y)((\s?|[-])(old)?)$ Regex101 Digital Forensics Discord Server user jball77
BASE64 ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}\=|[A-Za-z0-9+/]{3}=)?$ TBD TBD
Credit Card Numbers (^4[0-9]{12}(?:[0-9]{3})?$)|(^(?:5[1-5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}$)|(3[47][0-9]{13})|(^3(?:0[0-5]|[68][0-9])[0-9]{11}$)|(^6(?:011|5[0-9]{2})[0-9]{12}$)|(^(?:2131|1800|35\d{3})\d{11}$) Regex101 IHateRegex
Cut Folder Hierarchy .+(?=((\|\/).+){2}) Regex101 RegexLib
Email Addresses (([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)(\s*;\s*|\s*$))* Regex101 StackOverflow
Grab Everything Before the First Comma ^.[^,]*(?=(\,)) Regex101 N/A
Filenames (Including Extension) [^\\\/:*?"<>|\r\n]+$ Regex101 Regular Expressions Cookbook
Filenames (Short/Suspicious) ^[\w,\s-]{1,3}\.[a-zA-Z0-9]{2,4}$ Regex101 RegexTester
Hash - MD5 [a-fA-F0-9]{32} TBD TBD
Hash - SHA1 [a-fA-F0-9]{40} TBD TBD
Hash - SHA256 [a-fA-F0-9]{64} TBD TBD
Hash - SHA512 [a-fA-F0-9]{128} TBD TBD
Hex /^#?([a-f0-9]{6}|[a-f0-9]{3})$/ TBD TBD
IPv4 \b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b Regex101 bstrings
IPv4 (External Only) \b(?!0\.)(?!10\.)(?!100\.6[4-9]\.)(?!100\.[7-9]\d\.)(?!100\.1[0-1]\d\.)(?!100\.12[0-7]\.)(?!127\.)(?!169\.254\.)(?!172\.1[6-9]\.)(?!172\.2[0-9]\.)(?!172\.3[0-1]\.)(?!192\.0\.0\.)(?!192\.0\.2\.)(?!192\.88\.99\.)(?!192\.168\.)(?!198\.1[8-9]\.)(?!198\.51\.100\.)(?!203.0\.113\.)(?!22[4-9]\.)(?!23[0-9]\.)(?!24[0-9]\.)(?!25[0-5]\.)(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\b Regex101 StackOverflow
IPv6 (([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])) Regex101 RegexTester
MAC Address ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$ Regex101 StackOverflow
Passwords ^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$ %^&*-]).{8,}$ Regex101 IHateRegex
Phone Numbers ^(\+\d{1,2}\s)?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}$ Regex101 StackOverflow
Qakbot C2 (http|https).*\:[0-9]{2,5}\/t5 TBD Twitter
Remove trailing backslash from every line in a document \\+$ Regex101
URLs (https?:\/\/)?(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()!@:%_\+.~#?&\/\/=]*) Regex101 mathiasbynens.be URL Spec IHateRegex
Valid URLs (Excluding FP from above) \b((ht|f)tp(s)?:\/\/|www\.)+[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9]{2,}((\/)?([-a-zA-Z0-9@:%_\+.~#?&\/=]*)?)\b Regex101 jball77
US Social Security Numbers ^(?!0{3})(?!6{3})[0-8]\d{2}-(?!0{2})\d{2}-(?!0{4})\d{4}$ Regex101 IHateRegex
Username (Discord) ^.{3,32}#[0-9]{4}$ Regex101 IHateRegex

Regex Resources