From f790d3212703c546adfe022cdd14d3d18bf12f48 Mon Sep 17 00:00:00 2001
From: shaktisinhchavda <connectshaktisinh@gmail.com>
Date: Tue, 24 Feb 2026 23:19:27 +0530
Subject: [PATCH] add word boundaries to regex patterns to reduce false
 positives

closes https://github.com/mandiant/capa-rules/issues/1109
---
 .../clear-logs/clear-windows-event-logs.yml   |   4 +-
 .../reference-analysis-tools-strings.yml      | 152 +++++++++---------
 ...ntials-from-windows-credential-manager.yml |   2 +-
 ...ure-network-configuration-via-ipconfig.yml |   2 +-
 .../powershell/run-powershell-expression.yml  |   4 +-
 nursery/delete-windows-backup-catalog.yml     |   2 +-
 ...le-automatic-windows-recovery-features.yml |   4 +-
 .../enumerate-device-drivers-on-windows.yml   |   2 +-
 8 files changed, 86 insertions(+), 86 deletions(-)

diff --git a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml
index d35238a55..87466688d 100644
--- a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml
+++ b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml
@@ -28,7 +28,7 @@ rule:
             - api: wevtapi.EvtOpenSession
         - basic block:
           - and:
-            - string: /wevtutil(\.exe)?\s+(clear-log|cl)/i
+            - string: /\bwevtutil(\.exe)?\s+(clear-log|cl)/i
         - call:
           - and:
-            - string: /wevtutil(\.exe)?\s+(clear-log|cl)/i
+            - string: /\bwevtutil(\.exe)?\s+(clear-log|cl)/i
diff --git a/anti-analysis/reference-analysis-tools-strings.yml b/anti-analysis/reference-analysis-tools-strings.yml
index 42ca34d91..2db473f5f 100644
--- a/anti-analysis/reference-analysis-tools-strings.yml
+++ b/anti-analysis/reference-analysis-tools-strings.yml
@@ -15,81 +15,81 @@ rule:
       - al-khaser_x86.exe_
   features:
     - or:
-      - string: /ollydbg(\.exe)?/i
-      - string: /ProcessHacker(\.exe)?/i
-      - string: /tcpview(\.exe)?/i
-      - string: /autoruns(\.exe)?/i
-      - string: /autorunsc(\.exe)?/i
-      - string: /filemon(\.exe)?/i
-      - string: /procmon(\.exe)?/i
-      - string: /regmon(\.exe)?/i
-      - string: /procexp(\.exe)?/i
+      - string: /\bollydbg(\.exe)?\b/i
+      - string: /\bProcessHacker(\.exe)?\b/i
+      - string: /\btcpview(\.exe)?\b/i
+      - string: /\bautoruns(\.exe)?\b/i
+      - string: /\bautorunsc(\.exe)?\b/i
+      - string: /\bfilemon(\.exe)?\b/i
+      - string: /\bprocmon(\.exe)?\b/i
+      - string: /\bregmon(\.exe)?\b/i
+      - string: /\bprocexp(\.exe)?\b/i
       - string: /(?<!\w)ida[gqtuw]?(\.exe)?$/i
       - string: /ida[gqtuw]?64(\.exe)?$/i
-      - string: /ImmunityDebugger(\.exe)?/i
-      - string: /Wireshark(\.exe)?/i
-      - string: /dumpcap(\.exe)?/i
-      - string: /HookExplorer(\.exe)?/i
-      - string: /ImportREC(\.exe)?/i
-      - string: /PETools(\.exe)?/i
-      - string: /LordPE(\.exe)?/i
-      - string: /SysInspector(\.exe)?/i
-      - string: /proc_analyzer(\.exe)?/i
-      - string: /sysAnalyzer(\.exe)?/i
-      - string: /sniff_hit(\.exe)?/i
-      - string: /windbg(\.exe)?/i
-      - string: /joeboxcontrol(\.exe)?/i
-      - string: /joeboxserver(\.exe)?/i
-      - string: /ResourceHacker(\.exe)?/i
-      - string: /x32dbg(\.exe)?/i
-      - string: /x64dbg(\.exe)?/i
-      - string: /Fiddler(\.exe)?/i
-      - string: /httpdebugger(\.exe)?/i
-      - string: /fakenet(\.exe)?/i
-      - string: /netmon(\.exe)?/i
-      - string: /WPE PRO(\.exe)?/i
-      - string: /decompile(\.exe)?/i
-      - string: /scylla/i
-      - string: /megadumper/i
-      - string: /apdagent(\.exe)?/i
-      - string: /apimonitor(\.exe)?/i
-      - string: /azurearcsystray(\.exe)?/i
-      - string: /binaryninja(\.exe)?/i
-      - string: /burpsuite(\.exe)?/i
-      - string: /charles\.exe/i
-      - string: /cutter(\.exe)?/i
-      - string: /dbgx\.shell(\.exe)?/i
-      - string: /df5serv(\.exe)?/i
-      - string: /frida(\.exe)?/i
-      - string: /httpanalyzerv7(\.exe)?/i
-      - string: /httpdebuggerui(\.exe)?/i
-      - string: /netcat(\.exe)?/i
-      - string: /pin\.exe/i
-      - string: /prl_tools(\.exe)?/i
-      - string: /qemu-ga(\.exe)?/i
-      - string: /rammap(\.exe)?/i
-      - string: /rammap64(\.exe)?/i
-      - string: /rdpclip(\.exe)?/i
-      - string: /tasklist/i
-      - string: /cred-store(\.exe)?/i
-      - string: /decoder\.exe/i
-      - string: /dnspy(\.exe)?/i
-      - string: /drrun(\.exe)?/i
-      - string: /dumpit(\.exe)?/i
-      - string: /frida-inject(\.exe)?/i
-      - string: /frida-server(\.exe)?/i
-      - string: /gdb\.exe/i
-      - string: /httpdebuggersvc(\.exe)?/i
-      - string: /ilspy(\.exe)?/i
-      - string: /inetsim(\.exe)?/i
-      - string: /ksdumper(\.exe)?/i
-      - string: /ksdumperclient(\.exe)?/i
-      - string: /mitmdump(\.exe)?/i
-      - string: /pestudio(\.exe)?/i
-      - string: /private-cloud-proxy(\.exe)?/i
-      - string: /process\.exe/i
-      - string: /r2\.exe/i
-      - string: /rekall(\.exe)?/i
-      - string: /tcpdump(\.exe)?/i
-      - string: /windasm(\.exe)?/i
-      - string: /x32dbgn(\.exe)?/i
+      - string: /\bImmunityDebugger(\.exe)?\b/i
+      - string: /\bWireshark(\.exe)?\b/i
+      - string: /\bdumpcap(\.exe)?\b/i
+      - string: /\bHookExplorer(\.exe)?\b/i
+      - string: /\bImportREC(\.exe)?\b/i
+      - string: /\bPETools(\.exe)?\b/i
+      - string: /\bLordPE(\.exe)?\b/i
+      - string: /\bSysInspector(\.exe)?\b/i
+      - string: /\bproc_analyzer(\.exe)?\b/i
+      - string: /\bsysAnalyzer(\.exe)?\b/i
+      - string: /\bsniff_hit(\.exe)?\b/i
+      - string: /\bwindbg(\.exe)?\b/i
+      - string: /\bjoeboxcontrol(\.exe)?\b/i
+      - string: /\bjoeboxserver(\.exe)?\b/i
+      - string: /\bResourceHacker(\.exe)?\b/i
+      - string: /\bx32dbg(\.exe)?\b/i
+      - string: /\bx64dbg(\.exe)?\b/i
+      - string: /\bFiddler(\.exe)?\b/i
+      - string: /\bhttpdebugger(\.exe)?\b/i
+      - string: /\bfakenet(\.exe)?\b/i
+      - string: /\bnetmon(\.exe)?\b/i
+      - string: /\bWPE PRO(\.exe)?\b/i
+      - string: /\bdecompile(\.exe)?\b/i
+      - string: /\bscylla\b/i
+      - string: /\bmegadumper\b/i
+      - string: /\bapdagent(\.exe)?\b/i
+      - string: /\bapimonitor(\.exe)?\b/i
+      - string: /\bazurearcsystray(\.exe)?\b/i
+      - string: /\bbinaryninja(\.exe)?\b/i
+      - string: /\bburpsuite(\.exe)?\b/i
+      - string: /\bcharles\.exe\b/i
+      - string: /\bcutter(\.exe)?\b/i
+      - string: /\bdbgx\.shell(\.exe)?\b/i
+      - string: /\bdf5serv(\.exe)?\b/i
+      - string: /\bfrida(\.exe)?\b/i
+      - string: /\bhttpanalyzerv7(\.exe)?\b/i
+      - string: /\bhttpdebuggerui(\.exe)?\b/i
+      - string: /\bnetcat(\.exe)?\b/i
+      - string: /\bpin\.exe\b/i
+      - string: /\bprl_tools(\.exe)?\b/i
+      - string: /\bqemu-ga(\.exe)?\b/i
+      - string: /\brammap(\.exe)?\b/i
+      - string: /\brammap64(\.exe)?\b/i
+      - string: /\brdpclip(\.exe)?\b/i
+      - string: /\btasklist\b/i
+      - string: /\bcred-store(\.exe)?\b/i
+      - string: /\bdecoder\.exe\b/i
+      - string: /\bdnspy(\.exe)?\b/i
+      - string: /\bdrrun(\.exe)?\b/i
+      - string: /\bdumpit(\.exe)?\b/i
+      - string: /\bfrida-inject(\.exe)?\b/i
+      - string: /\bfrida-server(\.exe)?\b/i
+      - string: /\bgdb\.exe\b/i
+      - string: /\bhttpdebuggersvc(\.exe)?\b/i
+      - string: /\bilspy(\.exe)?\b/i
+      - string: /\binetsim(\.exe)?\b/i
+      - string: /\bksdumper(\.exe)?\b/i
+      - string: /\bksdumperclient(\.exe)?\b/i
+      - string: /\bmitmdump(\.exe)?\b/i
+      - string: /\bpestudio(\.exe)?\b/i
+      - string: /\bprivate-cloud-proxy(\.exe)?\b/i
+      - string: /\bprocess\.exe\b/i
+      - string: /\br2\.exe\b/i
+      - string: /\brekall(\.exe)?\b/i
+      - string: /\btcpdump(\.exe)?\b/i
+      - string: /\bwindasm(\.exe)?\b/i
+      - string: /\bx32dbgn(\.exe)?\b/i
diff --git a/collection/acquire-credentials-from-windows-credential-manager.yml b/collection/acquire-credentials-from-windows-credential-manager.yml
index 9c54a6689..aef241677 100644
--- a/collection/acquire-credentials-from-windows-credential-manager.yml
+++ b/collection/acquire-credentials-from-windows-credential-manager.yml
@@ -23,6 +23,6 @@ rule:
         - optional:
           - match: host-interaction/process/create
         - or:
-          - string: /vaultcmd(\.exe)?/
+          - string: /\bvaultcmd(\.exe)?\b/
           - substring: "/listcreds:"
           - substring: "\"Windows Credentials\""
diff --git a/collection/network/capture-network-configuration-via-ipconfig.yml b/collection/network/capture-network-configuration-via-ipconfig.yml
index 379646d9c..873b97de3 100644
--- a/collection/network/capture-network-configuration-via-ipconfig.yml
+++ b/collection/network/capture-network-configuration-via-ipconfig.yml
@@ -13,7 +13,7 @@ rule:
       - 7204e3efc2434012e13ca939db0d0b02:0x403028
   features:
     - and:
-      - string: /ipconfig(\.exe)?/i
+      - string: /\bipconfig(\.exe)?\b/i
       - api: msvcr100.system
       - optional:
         - and:
diff --git a/load-code/powershell/run-powershell-expression.yml b/load-code/powershell/run-powershell-expression.yml
index 36d82d9ce..b84097973 100644
--- a/load-code/powershell/run-powershell-expression.yml
+++ b/load-code/powershell/run-powershell-expression.yml
@@ -25,8 +25,8 @@ rule:
 
       - and:
         - or:
-          - string: /powershell(\.exe)?/i
-          - string: /pwsh(\.exe)?/i
+          - string: /\bpowershell(\.exe)?\b/i
+          - string: /\bpwsh(\.exe)?\b/i
         - or:
           - string: /\b-(e|en|enc|enco|encod|encodedcommand)\b/i
           - string: /\biex\b/i
diff --git a/nursery/delete-windows-backup-catalog.yml b/nursery/delete-windows-backup-catalog.yml
index 992ade400..6ac1dfd51 100644
--- a/nursery/delete-windows-backup-catalog.yml
+++ b/nursery/delete-windows-backup-catalog.yml
@@ -12,4 +12,4 @@ rule:
   features:
     - and:
       - os: windows
-      - string: /wbadmin(\.exe)?\s+delete\s+catalog/i
+      - string: /\bwbadmin(\.exe)?\s+delete\s+catalog/i
diff --git a/nursery/disable-automatic-windows-recovery-features.yml b/nursery/disable-automatic-windows-recovery-features.yml
index 090c0d756..78f4f0629 100644
--- a/nursery/disable-automatic-windows-recovery-features.yml
+++ b/nursery/disable-automatic-windows-recovery-features.yml
@@ -13,7 +13,7 @@ rule:
     - and:
       - os: windows
       - or:
-        - string: /bcdedit(\.exe)?\s+/set\s+{default}\s+bootstatuspolicy\s+ignoreallfailures/i
+        - string: /\bbcdedit(\.exe)?\s+/set\s+{default}\s+bootstatuspolicy\s+ignoreallfailures/i
           description: ignore errors and boot normally even if there is a failed boot, shutdown, or checkpoint
-        - string: /bcdedit(\.exe)?\s+/set\s+{default}\s+recoveryenabled\s+no/i
+        - string: /\bbcdedit(\.exe)?\s+/set\s+{default}\s+recoveryenabled\s+no/i
           description: disable automatic repair
diff --git a/nursery/enumerate-device-drivers-on-windows.yml b/nursery/enumerate-device-drivers-on-windows.yml
index 1b4e262b8..89bfb731f 100644
--- a/nursery/enumerate-device-drivers-on-windows.yml
+++ b/nursery/enumerate-device-drivers-on-windows.yml
@@ -14,7 +14,7 @@ rule:
   features:
     - or:
       - api: EnumDeviceDrivers
-      - string: /driverquery(\.exe)?/i
+      - string: /\bdriverquery(\.exe)?\b/i
       - and:
         - or:
           - match: query or enumerate registry key