Regex

Regex Cheatsheet

IPv4

PatternRegexExample matchCaptures
IPv4\b(?<IPv4>\d{1,3}(?:\.\d{1,3}){3})\b198.51.100.42IPv4=198.51.100.42
IPv4 octets namedinline\b(?<Oct1>\d{1,3})\.(?<Oct2>\d{1,3})\.(?<Oct3>\d{1,3})\.(?<Oct4>\d{1,3})\b10.42.7.13Oct1=10
Oct2=42
Oct3=7
Oct4=13
IPv4 octets namedanchored (whole field)^(?<Oct1>\d{1,3})\.(?<Oct2>\d{1,3})\.(?<Oct3>\d{1,3})\.(?<Oct4>\d{1,3})$10.42.7.13Oct1=10
Oct2=42
Oct3=7
Oct4=13
IPv4 + port\b(?<IPv4>\d{1,3}(?:\.\d{1,3}){3}):(?<Port>\d{1,5})\b192.0.2.45:443IPv4=192.0.2.45
Port=443
CIDR notation\b(?<IPv4>\d{1,3}(?:\.\d{1,3}){3})\/(?<Mask>\d{1,2})\b10.0.0.0/24IPv4=10.0.0.0
Mask=24
Internal IPprivate + loopback + link-local^(?<InternalIP>(?:127\.|10\.|172\.(?:1[6-9]|2\d|3[01])\.|192\.168\.|169\.254\.)\d{1,3}\.\d{1,3}(?:\.\d{1,3})?)172.18.4.221InternalIP=172.18.4.221
Private (RFC1918) only\b(?<PrivateIP>10(?:\.\d{1,3}){3}|172\.(?:1[6-9]|2\d|3[01])(?:\.\d{1,3}){2}|192\.168(?:\.\d{1,3}){2})\b172.18.4.221PrivateIP=172.18.4.221
Loopback (127/8)\b(?<Loopback>127\.\d{1,3}\.\d{1,3}\.\d{1,3})\b127.0.0.1Loopback=127.0.0.1
Link-local (169.254/16)\b(?<LinkLocal>169\.254\.\d{1,3}\.\d{1,3})\b169.254.169.254LinkLocal=169.254.169.254
Multicast (224/4)\b(?<Multicast>(?:22[4-9]|23\d)\.\d{1,3}\.\d{1,3}\.\d{1,3})\b239.255.255.250Multicast=239.255.255.250


IPv6

PatternRegexExample matchCaptures
IPv6 (any common form)(?<IPv6>(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|::(?:[0-9a-fA-F]{1,4}:){0,6}[0-9a-fA-F]{0,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:)2001:db8::8a2e:370:7334IPv6=2001:db8::
IPv6 + port (bracketed)\[(?<IPv6>[0-9a-fA-F:]+)\]:(?<Port>\d{1,5})[2001:db8::1]:8080IPv6=2001:db8::1
Port=8080
IPv6 in URL:\/\/\[(?<IPv6>[0-9a-fA-F:]+)\](?::(?<Port>\d{1,5}))?https://[2001:db8::1]:8443/apiIPv6=2001:db8::1
Port=8443


Domains & FQDN

PatternRegexExample matchCaptures
FQDN\b(?<FQDN>(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,24})\bcdn.api.example.co.ukFQDN=cdn.api.example.co.uk
First label splitleftmost / rest(?<Subdomain>[^.]+)\.(?<Domain>[^\s\/]+)cdn.api.example.comSubdomain=cdn
Domain=api.example.com
Last 2 labelsapex (single-TLD)(?<Apex>[a-zA-Z0-9\-]+\.[a-zA-Z]{2,24})$api.example.comApex=example.com
Last 3 labelsapex (double-TLD)(?<Apex3>[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-]+\.[a-zA-Z]{2,24})$api.example.co.ukApex3=example.co.uk
TLD (last label)\.(?<TLD>[a-zA-Z]{2,24})(?=[\/:?\s]|$)example.comTLD=com
TLDdouble-TLD aware\.(?<TLD>(?:co|com|gov|ac|org|net|edu|or|ne)\.(?:uk|au|jp|br|cn|tr|mx|sg|hk|nz|za|kr|id|in)|[a-zA-Z]{2,24})(?=[\/:?\s]|$)example.co.ukTLD=co.uk
Punycode / IDN\b(?<Punycode>xn--[a-zA-Z0-9\-]+(?:\.[a-zA-Z]{2,24})+)\bxn--gogle-zwa.comPunycode=xn--gogle-zwa.com
Email split\b(?<Local>[A-Za-z0-9._%+\-]+)@(?<Domain>[A-Za-z0-9.\-]+\.[A-Za-z]{2,24})\balice.smith@corp.example.comLocal=alice.smith
Domain=corp.example.com


URLs

PatternRegexExample matchCaptures
URLall parts named(?<Scheme>[a-z][a-z0-9+.\-]*):\/\/(?:(?<User>[^:@\/\s]+)(?::(?<Pass>[^@\/\s]+))?@)?(?<Host>[a-zA-Z0-9.\-]+|\[[0-9a-fA-F:]+\])(?::(?<Port>\d{1,5}))?(?<Path>\/[^\s?#\'"<>]*)?(?:\?(?<Query>[^\s#\'"<>]*))?(?:#(?<Fragment>[^\s\'"<>]*))?https://api.example.com:8443/v1/users?id=42#profileScheme=https
Host=api.example.com
Port=8443
Path=/v1/users
Query=id=42
Fragment=profile
URL sluglast path segment\/(?<Slug>[^\/?#\s]+)(?=[?#]|\s|$)/products/widget-x123Slug=widget-x123
Query parameter pair[?&](?<Key>[a-zA-Z0-9_\-]+)=(?<Value>[^&#\s\'"<>]*)?id=42&user=aliceKey=id
Value=42
(× 2 matches in example)
URL with embedded creds(?<Scheme>https?|ftps?|sftp|scp|smb|ssh|telnet|rsync|postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis|mssql|jdbc:[a-z]+):\/\/(?<User>[^:@\/\s]*):(?<Pass>[^@\/\s]+)@(?<Host>[a-zA-Z0-9.\-]+)postgresql://admin:S3cret!@db.corp.example.com:5432/billingScheme=postgresql
User=admin
Pass=S3cret!
Host=db.corp.example.com
Host onlyafter scheme(?<=:\/\/)(?<Host>[a-zA-Z0-9.\-]+)(?=[\/:?#\s]|$)https://cdn.example.com/assetHost=cdn.example.com


Search engine queries

PatternRegexExample matchCaptures
Search engine query9 engines combined(?i)(?:search\.)?(?<Engine>google|bing|yahoo|baidu|ask|duckduckgo|aol|wolframalpha|ecosia)\.(?:com|org)(?:\/[^?\s]*)?\?(?:q|p|wd|i)=(?<SearchTerm>[^&\s]+)google.com/search?q=detection+engineeringEngine=google
SearchTerm=detection+engineering


Filesystem paths

PatternRegexExample matchCaptures
Windows pathdecomposed(?<WinPath>(?<Drive>[A-Za-z]):\\(?<Dir>(?:[^<>:"\/\\|?*\r\n]+\\)*)(?<Filename>[^<>:"\/\\|?*\r\n]+)\.(?<Ext>[A-Za-z0-9]+))C:\Users\Public\update.exeWinPath=C:\Users\Public\update.exe
Drive=C
Dir=Users\Public\
Filename=update
Ext=exe
UNC path\\\\(?<Server>[A-Za-z0-9.\-_]+)\\(?<Share>[A-Za-z0-9$\-_]+)(?:\\(?<UNCPath>[^<>:"\/|?*\r\n]+))?\\fs01\IT$\install\loader.exeServer=fs01
Share=IT$
UNCPath=install\loader.exe
Linux path(?<UnixPath>\/(?:[^\/\0\s]+\/)*(?<Filename>[^\/\0\s]+))/var/log/syslogUnixPath=/var/log/syslog
Filename=syslog
Filename + extension\b(?<Filename>[^\\\/:*?"<>|\r\n]+)\.(?<Ext>[A-Za-z0-9]+)\bpayload.exeFilename=payload
Ext=exe
Double extension(?<Base>[^\\\/:"*?<>|\r\n]+)\.(?<FakeExt>pdf|docx?|xlsx?|pptx?|txt|jpg|jpeg|png|gif|html?|zip|rar|csv|mp[34])\.(?<RealExt>exe|dll|ps1|bat|cmd|vbs|js|wsf|hta|scr|cpl|lnk|com|msi|jar|sh)\binvoice.pdf.exeBase=invoice
FakeExt=pdf
RealExt=exe
Hidden folder under \Users\\(?i)\\Users\\.*?\\(?<HiddenFolder>\.[^\\\r\n]+)\\C:\Users\bob\.ssh\id_rsaHiddenFolder=.ssh
Alternate Data Stream(?<ADS>[A-Za-z]:\\(?:[^<>:"\/\\|?*\r\n]+\\)*[^<>:"\/\\|?*\r\n:]+:(?<Stream>[^<>:"\/\\|?*\r\n]+))C:\Users\bob\notes.txt:hidden.exeADS=C:\Users\bob\notes.txt:hidden.exe
Stream=hidden.exe


Path normalization (forensics)

PatternRegexExample matchCaptures
Strip \Device\HarddiskVolumeN\\^\\Device\\HarddiskVolume\d+(?<Path>[\\\/][^\r\n]+)\Device\HarddiskVolume3\Windows\notepad.exePath=\Windows\notepad.exe
Path + filename splitoptional NT prefix(?:\\Device\\HarddiskVolume\d+)?(?<FilePath>.+\\)(?<FileName>[^\\\r\n]+)$C:\Users\Bob\Documents\report.pdfFilePath=C:\Users\Bob\Documents\
FileName=report.pdf
Strip \\?\ namespace^\\\\\?\\(?<Path>[A-Z]:\\[^\r\n]+)\\?\C:\Users\Bob\file.txtPath=C:\Users\Bob\file.txt
Strip \??\ NT object namespace^\\\?\?\\(?<Path>[A-Z]:\\[^\r\n]+)\??\C:\Windows\system32\\Path=C:\Windows\system32\\
Strip any NT prefixuniversal^(?:\\Device\\\w+\d*|\\\\\?\\|\\\?\?\\|\\GLOBAL\\\?\?\\)(?<Path>[\\\/A-Z][^\r\n]+)\Device\Mup\server\sharePath=\server\share


Credentials in command lines

PatternRegexExample matchCaptures
Credentials all-in-onesingle-regex form(?i)(?:(?<![A-Za-z])(?<CredVar>aws[_-]?secret[_-]?access[_-]?key|aws[_-]?session[_-]?token|azure[_-]?client[_-]?secret|shared[_-]?access[_-]?signature|connection[_-]?string|service[_-]?password|database[_-]?password|github[_-]?token|gitlab[_-]?token|tenant[_-]?secret|slack[_-]?token|bind[_-]?password|proxy[_-]?password|ldap[_-]?password|smtp[_-]?password|sql[_-]?password|db[_-]?password|client[_-]?secret|private[_-]?key|access[_-]?token|refresh[_-]?token|session[_-]?token|bearer[_-]?token|oauth[_-]?token|auth[_-]?token|csrf[_-]?token|sas[_-]?token|id[_-]?token|ssh[_-]?key|x[_-]?api[_-]?key|api[_-]?token|api[_-]?key|mysql[_-]?pwd|sshpass|pgpassword|connstr|credentials|credential|passphrase|password|passwd|webhook|bearer|secret|token|creds|cred|pass|pwd|sas|auth)(?![A-Za-z])\s*[=:\s]\s*['"]?(?<CredVal>[^\s'"&;\r\n]{4,})|\s(?<Flag>(?:--|-|\/)(?:[a-z]+-)?(?:password|passwd|pwd|pass|pw)|(?:--|-|\/)p)[:=\s]+['"]?(?<FlagVal>[^\s'"]+)|\b(?<AtTool>mysql(?:dump|pump|sh)?|7z[a]?|rar|unrar|sshpass)(?:\.exe)?\b[^\r\n]*?\s-p(?<AtVal>[^\-\s][^\s'"]{3,})|(?<UrlScheme>https?|ftps?|sftp|scp|smb|ssh|telnet|rsync|postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis|mssql|jdbc:[a-z]+):\/\/(?<UrlUser>[^:@\/\s]*):(?<UrlPass>[^@\/\s]+)@|Authorization:\s*(?<AuthType>Bearer|Basic)\s+(?<AuthVal>[A-Za-z0-9._\-+\/=]+)|ConvertTo-SecureString\s+['"](?<PSCred>[^'"]+)['"]\s+-AsPlainText|\s(?:-U\s+|--user[=\s]+)(?<SMBUser>[^%\s]+)%(?<SMBPass>\S+)|\s(?:--user|-u|--proxy-user)[=\s]+(?<UPUser>[^:\s]+):(?<UPPass>[^\s'"]+)|\bcmdkey\b[^\r\n]*?\/pass:(?<CmdkeyVal>\S+)|\bsc(?:\.exe)?\b[^\r\n]*?\bpassword=\s*(?<ScVal>\S+)|\bnet\s+use\b(?:\s+\S+){1,3}\s+(?<NetUsePass>(?!\/)[^\s\/][^\s]*)\s+\/user:(?<NetUseUser>\S+)|\bnet\s+use\b[^\r\n]*?\/user:(?<NetUseUser2>\S+)\s+(?<NetUsePass2>(?!\/)[^\s\/][^\s]*)|\bnet\s+user\s+(?<NetUserName>\S+)\s+(?<NetUserPass>(?!\/)[^\s\/][^\s]*)|\bwmic\b[^\r\n]*?\/user:(?<WmicUser>\S+)[^\r\n]*?\/password:(?<WmicPass>\S+)|(?<![A-Za-z0-9])(?:-e\s+|--from-literal=|--set(?:-string)?[\s=])(?<ContVar>[A-Za-z_][A-Za-z0-9_\-]*)=['"]?(?<ContVal>[^\s'"]+)|\blftp\b[^\r\n]*?\s(?:-u|--user)\s+(?<LftpUser>[^,\s]+),(?<LftpVal>[^\s'"]+)|\bredis(?:-cli)?\b[^\r\n]*?\s-a\s+['"]?(?<RedisVal>[^\s'"]+))plink.exe -ssh user@host -pw S3cret!Flag=-pw
FlagVal=S3cret!
Variable=value credentialfocused: VAR=val / VAR: val only(?i)(?<![A-Za-z])(?<CredVar>aws[_-]?secret[_-]?access[_-]?key|aws[_-]?session[_-]?token|azure[_-]?client[_-]?secret|shared[_-]?access[_-]?signature|connection[_-]?string|service[_-]?password|database[_-]?password|github[_-]?token|gitlab[_-]?token|tenant[_-]?secret|slack[_-]?token|bind[_-]?password|proxy[_-]?password|ldap[_-]?password|smtp[_-]?password|sql[_-]?password|db[_-]?password|client[_-]?secret|private[_-]?key|access[_-]?token|refresh[_-]?token|session[_-]?token|bearer[_-]?token|oauth[_-]?token|auth[_-]?token|csrf[_-]?token|sas[_-]?token|id[_-]?token|ssh[_-]?key|x[_-]?api[_-]?key|api[_-]?token|api[_-]?key|mysql[_-]?pwd|sshpass|pgpassword|connstr|credentials|credential|passphrase|password|passwd|webhook|bearer|secret|token|creds|cred|pass|pwd|sas|auth)(?![A-Za-z])\s*[=:\s]\s*[\'"]?(?<Credential>[^\s\'"&;\r\n]{4,})STRIPE_API_KEY=sk_live_4eC39HCredVar=API_KEY
Credential=sk_live_4eC39H
Short-flag credentialplink/sshpass/sqlcmd/curl/wget/etc.(?i)\s(?<Flag>(?:--|-|\/)(?:[a-z]+-)?(?:password|passwd|pwd|pass|pw)|(?:--|-|\/)p)[:=\s]+[\'"]?(?<Credential>[^\s\'"]+)plink.exe -ssh user@host -pw S3cret!Flag=-pw
Credential=S3cret!
Attached short-flagmysql/7z/rar/sshpass -p<value> (no space)(?i)\b(?<Tool>mysql(?:dump|pump|sh)?|7z[a]?|rar|unrar|sshpass)(?:\.exe)?\b[^\r\n]*?\s-p(?<Credential>[^\-\s][^\s\'"]{3,})mysql -u admin -pS3cret!Pwd dbnameTool=mysql
Credential=S3cret!Pwd
redis-cli -a(?i)\bredis(?:-cli)?\b[^\r\n]*?\s-a\s+[\'"]?(?<Credential>[^\s\'"]+)redis-cli -h cache.local -a R3disPass!Credential=R3disPass!
User:pass flagcurl/wget -u user:pass / --user / --proxy-user(?i)\s(?<Flag>--user|-u|--proxy-user)[=\s]+(?<User>[^:\s]+):(?<Credential>[^\s\'"]+)curl --user alice:S3cret! https://api.example.comFlag=--user
User=alice
Credential=S3cret!
net user account(?i)\bnet\s+user\s+(?<User>\S+)\s+(?<Password>(?!\/)[^\s\/][^\s]*)net user svc_admin S3cret!Pwd /addUser=svc_admin
Password=S3cret!Pwd
SSH private key flag(?i)\bssh\b[^\r\n]*?-i\s+[\'"]?(?<KeyPath>[^\s\'"]+)ssh -i ~/.ssh/id_rsa user@hostKeyPath=~/.ssh/id_rsa
Bearer token (header)(?i)Authorization:\s*Bearer\s+(?<Bearer>[A-Za-z0-9._\-]+)Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.payload.sigBearer=eyJhbGciOiJIUzI1NiJ9.payload.sig
Basic auth (header)(?i)Authorization:\s*Basic\s+(?<BasicAuth>[A-Za-z0-9+\/=]+)Authorization: Basic YWRtaW46c2VjcmV0BasicAuth=YWRtaW46c2VjcmV0
PowerShell SecureStringplaintext literalConvertTo-SecureString\s+[\'"](?<Credential>[^\'"]+)[\'"]\s+-AsPlainText$p = ConvertTo-SecureString 'P@ssw0rd!' -AsPlainText -ForceCredential=P@ssw0rd!
SMB user%passsmbclient/smbmap(?i)\s(?:-U\s+|--user[=\s]+)(?<User>[^%\s]+)%(?<Password>\S+)smbclient //server/share -U DOMAIN\admin%S3cret!User=DOMAIN\admin
Password=S3cret!
cmdkey /pass:(?i)\bcmdkey\b[^\r\n]*?\/pass:(?<Credential>\S+)cmdkey /add:server01 /user:CORP\admin /pass:S3cret!Credential=S3cret!
sc.exe password=service install/config(?i)\bsc(?:\.exe)?\b[^\r\n]*?\bpassword=\s*(?<Credential>\S+)sc.exe create BackupSvc binpath= C:\bak.exe obj= .\svc password= S3cret!Credential=S3cret!
net use w/ credsPASS before /user: (canonical)(?i)\bnet\s+use\b(?:\s+\S+){1,3}\s+(?<Password>(?!\/)[^\s\/][^\s]*)\s+\/user:(?<User>\S+)net use \\fs01\share Pass123 /user:CORP\adminPassword=Pass123
User=CORP\admin
net use w/ creds/user: before PASS (alt order)(?i)\bnet\s+use\b[^\r\n]*?\/user:(?<User>\S+)\s+(?<Password>(?!\/)[^\s\/][^\s]*)net use \\fs01\share /user:CORP\admin Pass123User=CORP\admin
Password=Pass123
lftp -u user,pass(?i)\blftp\b[^\r\n]*?\s(?:-u|--user)\s+(?<User>[^,\s]+),(?<Credential>[^\s\'"]+)lftp -u alice,S3cret!Pwd ftp.example.comUser=alice
Credential=S3cret!Pwd
wmic /user: /password:(?i)\bwmic\b[^\r\n]*?\/user:(?<User>\S+)[^\r\n]*?\/password:(?<Password>\S+)wmic /node:HOST /user:admin /password:Pass1 process call createUser=admin
Password=Pass1
Container env injectiondocker -e / k8s --from-literal / helm --set(?i)(?<![A-Za-z0-9])(?:-e\s+|--from-literal=|--set(?:-string)?[\s=])(?<Var>[A-Za-z_][A-Za-z0-9_\-]*)=[\'"]?(?<Credential>[^\s\'"]+)docker run -e MYSQL_ROOT_PASSWORD=R00t! mysql:8Var=MYSQL_ROOT_PASSWORD
Credential=R00t!


Hashes & identifiers

PatternRegexExample matchCaptures
MD5\b(?<MD5>[a-fA-F0-9]{32})\b5d41402abc4b2a76b9719d911017c592MD5=5d41402abc4b2a76b9719d911017c592
SHA1\b(?<SHA1>[a-fA-F0-9]{40})\baaf4c61ddcc5e8a2dabede0f3b482cd9aea9434dSHA1=aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
SHA256\b(?<SHA256>[a-fA-F0-9]{64})\b2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7aeSHA256=2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
GUID / UUID\b(?<GUID>[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12})\b550e8400-e29b-41d4-a716-446655440000GUID=550e8400-e29b-41d4-a716-446655440000
Windows SID\b(?<SID>S-1-(?:0|1|2|3|4|5|9|11|12|15|16|18)(?:-\d+)+)\bS-1-5-21-3623811015-3361044348-30300820-1013SID=S-1-5-21-3623811015-3361044348-30300820-1013
bcrypt hash(?<Bcrypt>\$2[abxy]\$\d{2}\$[A-Za-z0-9.\/]{53})$2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWyBcrypt=$2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
argon2 hash(?<Argon2>\$argon2(?:i|d|id)\$v=\d+\$m=\d+,t=\d+,p=\d+\$[A-Za-z0-9+\/=]+\$[A-Za-z0-9+\/=]+)$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RdescudvJCsgt3ub+b+dWRWJTmaaJObGArgon2=$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RdescudvJCsgt3ub+b+dWRWJTmaaJObG
SHA512crypt hash(?<Sha512Crypt>\$6\$(?:rounds=\d+\$)?[A-Za-z0-9.\/]{8,16}\$[A-Za-z0-9.\/]{86})$6$rounds=5000$saltvalu1$ABcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./abcdefghij1234567890abcdeSha512Crypt=$6$rounds=5000$saltvalu1$ABcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./abcdefghij1234567890ab


Cloud resources & tokens

PatternRegexExample matchCaptures
AWS Access Key ID\b(?<AWSKey>(?:AKIA|ASIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|APKA)[0-9A-Z]{16})\bAKIAIOSFODNN7EXAMPLEAWSKey=AKIAIOSFODNN7EXAMPLE
AWS ARNdecomposedarn:(?<Partition>aws|aws-cn|aws-us-gov):(?<Service>[a-z0-9\-]+):(?<Region>[a-z]+-[a-z]+-\d+)?:(?<AcctId>\d{12})?:(?<Resource>[A-Za-z0-9\/:\-_.+*]+)arn:aws:iam::123456789012:user/DavidPartition=aws
Service=iam
AcctId=123456789012
Resource=user/David
S3 URIs3:\/\/(?<Bucket>[a-z0-9][a-z0-9.\-]{1,61}[a-z0-9])(?:\/(?<Key>\S+))?s3://corp-backups/db/snap-2024-q3.bakBucket=corp-backups
Key=db/snap-2024-q3.bak
EC2 instance ID\b(?<EC2>i-[0-9a-f]{8,17})\bi-0abcd1234ef56789EC2=i-0abcd1234ef56789
Azure subscription ID\b(?<AzSubId>[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\b7d1d6c4e-4d7e-4a6e-9f3e-2c1b0a3d5e6fAzSubId=7d1d6c4e-4d7e-4a6e-9f3e-2c1b0a3d5e6f
Azure SAS signature\?sv=\d{4}-\d{2}-\d{2}&(?:[a-z]+=[^&\s]+&)*sig=(?<SASsig>[A-Za-z0-9%]+)?sv=2023-08-03&ss=b&srt=sco&sig=XyABCdef123%2FabcdEFGHSASsig=XyABCdef123%2FabcdEFGH
GCP API key\b(?<GCPKey>AIza[0-9A-Za-z_\-]{35})\bAIzaSyA-9tSrke72PouQMnMX-a7eZSW0jkFMBWYGCPKey=AIzaSyA-9tSrke72PouQMnMX-a7eZSW0jkFMBWY
GitHub PAT (any)\b(?<GHPAT>(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{36,251}|github_pat_[A-Za-z0-9_]{82})\bghp_16C7e42F292c6912E7710c838347Ae178B4aGHPAT=ghp_16C7e42F292c6912E7710c838347Ae178B4a
JWT3 parts\beyJ(?<Header>[A-Za-z0-9_\-]+)\.eyJ(?<Payload>[A-Za-z0-9_\-]+)\.(?<Sig>[A-Za-z0-9_\-]+)\beyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NSJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cHeader=hbGciOiJIUzI1NiJ9
Payload=zdWIiOiIxMjM0NSJ9
Sig=SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
PEM private key block-----BEGIN (?:RSA |DSA |EC |OPENSSH |ENCRYPTED |PGP )?PRIVATE KEY-----[A-Za-z0-9+\/=\s]{200,}-----END (?:RSA |DSA |EC |OPENSSH |ENCRYPTED |PGP )?PRIVATE KEY----------BEGIN RSA PRIVATE KEY-----MIIEowIBAAKCAQEAvGjfzVvDOGKlR2bnJ8VFcVHwxIDvCKbuVBLtMjQHdy3JQVRpITi3WsQwaLb6CtMHYjGo8q9bDLB6q7PQg4zGNXHkb9wKpBvbJpVZwKvCK4hPgC1k/8oSdf9oAlLBL7G0mjlHrW/qDCqLP7Y7+y8nZ0VZGGqLi7B7CxDpQ3mF2X6JMc4fG9wBYbYKy1jJ0WqKvZ-----END RSA PRIVATE KEY-----(full match)
Slack token\b(?<Slack>xox[baprs]-[A-Za-z0-9\-]+)\bxoxb-12345-67890-AbCdEfGhIjKlMnOpSlack=xoxb-12345-67890-AbCdEfGhIjKlMnOp
Discord webhookhttps:\/\/(?:ptb\.|canary\.)?discord(?:app)?\.com\/api\/webhooks\/(?<ChannelId>\d{17,20})\/(?<Token>[A-Za-z0-9_\-]+)https://discord.com/api/webhooks/12345678901234567/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789ABChannelId=12345678901234567
Token=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AB
Stripe API key\b(?<Stripe>(?:sk|pk|rk)_(?:live|test)_[A-Za-z0-9]+)\bsk_live_4eC39HabcdefGHIJK1234567890XYZStripe=sk_live_4eC39HabcdefGHIJK1234567890XYZ


PowerShell & encoded content

PatternRegexExample matchCaptures
PowerShell EncodedCommandobfuscation-resistant[`]*[\-\/–—][^A-Za-z]*e[ncodema"`\'\s]*\s+(?<EncodedCommand>[A-Za-z0-9+\/="`\'\s]+)pwsh -e`n`c`o`d`e`d JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAA=EncodedCommand=JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAA=
Base64standard(?:[A-Za-z0-9+\/]{4}){8,}(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?SGVsbG8gV29ybGQhIFRoaXMgaXMgYSB0ZXN0Lg==(full match)
Base64URL-safe(?:[A-Za-z0-9_\-]{4}){8,}={0,2}dGhpcy1pcy1hLXVybC1zYWZlLWJhc2U2NC1leGFtcGxl(full match)
Base64 PowerShell prefixUTF-16LE encoded command\b(?<PSEncoded>(?:JAB|SQB|IAA|PAA|JgB|cwB|aQB|YwB|RQB)[A-Za-z0-9+\/=]{20,})\bJABjAGwAaQBlAG4AdAA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAPSEncoded=JABjAGwAaQBlAG4AdAA9AE4AZQB3AC0ATwBiAGoAZQBjAHQA
Hex blob\b(?<Hex>[a-fA-F0-9]{64,})\b4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000Hex=4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000
Hex escaped (\xNN)(?:\\x[a-fA-F0-9]{2}){8,}\x4d\x5a\x90\x00\x03\x00\x00\x00(full match)
Hex C-array (0xNN,)(?:0x[a-fA-F0-9]{1,2},\s*){8,}0x[a-fA-F0-9]{1,2}0x4d, 0x5a, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0xff(full match)
URL-encoded run(?:%[0-9a-fA-F]{2}){4,}%63%6d%64%2e%65%78%65%20%2f%63(full match)
Unicode escape (\uNNNN)(?:\\u[0-9a-fA-F]{4}){4,}\u0063\u006d\u0064\u002e\u0065\u0078\u0065(full match)


Logs & command lines

PatternRegexExample matchCaptures
Process command lineimage + args^(?<Image>"[^"]+"|\S+)(?:\s+(?<Args>[^\r\n]*))?$"C:\Program Files\app.exe" --config fooImage="C:\Program Files\app.exe"
Args=--config foo
HTTP method\b(?<Method>GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS|TRACE|CONNECT)\bPOST /api/login HTTP/1.1Method=POST
HTTP status code(?:HTTP\/[\d.]+\s+|status[=:]\s*)(?<Status>[1-5]\d{2})\bHTTP/1.1 200 OKStatus=200
HTTP versionHTTP\/(?<Version>[123](?:\.[01])?)HTTP/1.1, HTTP/2Version=1.1
(× 2 matches in example)
Common Log FormatApache/Nginx access log^(?<RemoteHost>\S+)\s\S+\s(?<User>\S+)\s\[(?<Time>[^\]]+)\]\s"(?<Method>\S+)\s(?<Path>\S+)\s(?<Proto>HTTP\/\S+)"\s(?<Status>\d{3})\s(?<Size>\d+|-)127.0.0.1 - bob [10/Oct/2024:13:55:36 -0700] "GET /index.html HTTP/1.1" 200 2326RemoteHost=127.0.0.1
User=bob
Time=10/Oct/2024:13:55:36 -0700
Method=GET
Path=/index.html
Proto=HTTP/1.1
Status=200
Size=2326


Unicode character ranges

PatternRegexExample matchCaptures
ASCII only^[\x00-\x7F]+$Hello123(full match)
Printable ASCII only^[\x20-\x7E]+$Hello, World!(full match)
Contains non-ASCII(?<NonAscii>[^\x00-\x7F])paypaӏ.comNonAscii=ӏ
Cyrillic[\x{400}-\x{4FF}\x{500}-\x{52F}\x{2DE0}-\x{2DFF}\x{A640}-\x{A69F}\x{1C80}-\x{1C8F}]

[\u0400-\u04FF\u0500-\u052F\u2DE0-\u2DFF\uA640-\uA69F\u1C80-\u1C8F]раураl.commatched (× 5): р, а, у, р, а
Greek[\x{370}-\x{3FF}\x{1F00}-\x{1FFF}]

[\u0370-\u03FF\u1F00-\u1FFF]αβγmatched (× 3): α, β, γ
Arabic[\x{600}-\x{6FF}\x{750}-\x{77F}\x{8A0}-\x{8FF}\x{FB50}-\x{FDFF}\x{FE70}-\x{FEFF}]

[\u0600-\u06FF\u0750-\u077F\u08A0-\u08FF\uFB50-\uFDFF\uFE70-\uFEFF]مرحباmatched (× 5): م, ر, ح, ب, ا
Hebrew[\x{590}-\x{5FF}\x{FB1D}-\x{FB4F}]

[\u0590-\u05FF\uFB1D-\uFB4F]שלוםmatched (× 4): ש, ל, ו, ם
CJK unified[\x{4E00}-\x{9FFF}\x{3400}-\x{4DBF}\x{F900}-\x{FAFF}]

[\u4E00-\u9FFF\u3400-\u4DBF\uF900-\uFAFF]你好matched (× 2): 你, 好
Hiragana[\x{3040}-\x{309F}]

[\u3040-\u309F]こんにちはmatched (× 5): こ, ん, に, ち, は
Katakana[\x{30A0}-\x{30FF}\x{31F0}-\x{31FF}]

[\u30A0-\u30FF\u31F0-\u31FF]カタカナmatched (× 4): カ, タ, カ, ナ
Hangul (Korean)[\x{AC00}-\x{D7AF}\x{1100}-\x{11FF}\x{3130}-\x{318F}]

[\uAC00-\uD7AF\u1100-\u11FF\u3130-\u318F]안녕하세요matched (× 5): 안, 녕, 하, 세, 요
Latin Extendedhomoglyph source[\x{C0}-\x{24F}\x{1E00}-\x{1EFF}]

[\u00C0-\u024F\u1E00-\u1EFF]éàçÑmatched (× 4): é, à, ç, Ñ
Math alphanumerichomoglyph attack[\x{1D400}-\x{1D7FF}]

[\U0001D400-\U0001D7FF]𝐀𝐁𝐂matched (× 3): 𝐀, 𝐁, 𝐂
Zero-width / formatting[\x{200B}-\x{200F}\x{202A}-\x{202E}\x{2060}-\x{206F}\x{FEFF}]

[\u200B-\u200F\u202A-\u202E\u2060-\u206F\uFEFF]user\u200Bnamematched: \u200B
Combining marks[\x{300}-\x{36F}]

[\u0300-\u036F]e\u0301matched: \u0301


Time / date

PatternRegexExample matchCaptures
ISO 8601 / RFC 3339\b(?<ISO>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+\-]\d{2}:?\d{2})?)\b2024-08-15T14:23:01.453ZISO=2024-08-15T14:23:01.453Z
Unix epoch (seconds)\b(?<Epoch>1[0-9]{9}|2[0-9]{9})\b1723732981Epoch=1723732981
Unix epoch (milliseconds)\b(?<EpochMs>1[0-9]{12}|2[0-9]{12})\b1723732981453EpochMs=1723732981453
Syslog timestamp\b(?<Syslog>(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s{1,2}\d{1,2}\s+\d{2}:\d{2}:\d{2})\bAug 15 14:23:01Syslog=Aug 15 14:23:01


Quoted strings & arguments

PatternRegexExample matchCaptures
Double-quoted string"(?<DqStr>(?:[^"\\\r\n]+|\\.)*)""hello \"world\""DqStr=hello \"world\"
Single-quoted string'(?<SqStr>(?:[^'\\\r\n]+|\\.)*)''don\'t panic'SqStr=don\'t panic
Backtick-quoted string`(?<BtStr>[^`\r\n]*)``echo $USER`BtStr=echo $USER
--key=value flag--(?<Key>[a-zA-Z][a-zA-Z0-9\-]*)=(?<Value>\S*)--config=/etc/app.confKey=config
Value=/etc/app.conf
--key value flag--(?<Key>[a-zA-Z][a-zA-Z0-9\-]*)\s+(?<Value>[^\s\-]\S*)--output report.jsonKey=output
Value=report.json


Numbers

PatternRegexExample matchCaptures
Port (1-65535)\b(?<Port>6553[0-5]|655[0-2]\d|65[0-4]\d{2}|6[0-4]\d{3}|[1-5]\d{4}|[1-9]\d{0,3})\b8443Port=8443
Hex with 0x prefix\b0x(?<HexVal>[0-9a-fA-F]+)\b0xDEADBEEFHexVal=DEADBEEF
Signed integer(?<![\w.])(?<Int>-?\d+)(?![\w.])-2147483648Int=-2147483648
Float / scientific(?<![\w.])(?<Float>-?\d+\.\d+(?:[eE][+\-]?\d+)?)(?![\w])3.14159e-2Float=3.14159e-2


PII

PatternRegexExample matchCaptures
SSN (US)\b(?<SSN>(?!000|666|9\d{2})\d{3}-(?!00)\d{2}-(?!0000)\d{4})\b234-56-7890SSN=234-56-7890
Credit card (shape)\b(?<CC>(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6(?:011|5\d{2}))[\s\-]?\d{4}[\s\-]?\d{4}[\s\-]?\d{4})\b4111-1111-1111-1111CC=4111-1111-1111-1111
US phone\b(?<Phone>(?:\+?1[\s\-.])?\(?[2-9]\d{2}\)?[\s\-.]?\d{3}[\s\-.]?\d{4})\b(555) 123-4567Phone=555) 123-4567
IBAN\b(?<IBAN>[A-Z]{2}\d{2}[A-Z0-9]{4}\d{7}[A-Z0-9]*)\bGB29NWBK60161331926819IBAN=GB29NWBK60161331926819
MAC address\b(?<MAC>(?:[0-9a-fA-F]{2}[:\-]){5}[0-9a-fA-F]{2})\b00:1A:2B:3C:4D:5EMAC=00:1A:2B:3C:4D:5E


Cryptocurrency wallets

PatternRegexExample matchCaptures
Bitcoin\b(?<BTC>bc1[a-zA-HJ-NP-Z0-9]{25,62}|[13][a-km-zA-HJ-NP-Z1-9]{25,34})\bbc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlhBTC=bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
Ethereum\b(?<ETH>0x[a-fA-F0-9]{40})\b0x742d35Cc6634C0532925a3b844Bc9e7595f7E5b1ETH=0x742d35Cc6634C0532925a3b844Bc9e7595f7E5b1
Monero\b(?<XMR>4[0-9AB][1-9A-HJ-NP-Za-km-z]{93})\b48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9JFsuZjK8WiHHrUNvi8MzrZ3VcD3W9gReZUzRHhDKPHqZqK4ZuVsUqEMRn3PgtRXMR=48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9JFsuZjK8WiHHrUNvi8MzrZ3VcD3W9gReZUzRHhDKPHqZqK4ZuVsUqEMRn3PgtR

Pattern	Regex	Example match	Captures
IPv4	`\b(?<IPv4>\d{1,3}(?:\.\d{1,3}){3})\b`	`198.51.100.42`	`IPv4=198.51.100.42`
IPv4 octets namedinline	`\b(?<Oct1>\d{1,3})\.(?<Oct2>\d{1,3})\.(?<Oct3>\d{1,3})\.(?<Oct4>\d{1,3})\b`	`10.42.7.13`	`Oct1=10 Oct2=42 Oct3=7 Oct4=13`
IPv4 octets namedanchored (whole field)	`^(?<Oct1>\d{1,3})\.(?<Oct2>\d{1,3})\.(?<Oct3>\d{1,3})\.(?<Oct4>\d{1,3})$`	`10.42.7.13`	`Oct1=10 Oct2=42 Oct3=7 Oct4=13`
IPv4 + port	`\b(?<IPv4>\d{1,3}(?:\.\d{1,3}){3}):(?<Port>\d{1,5})\b`	`192.0.2.45:443`	`IPv4=192.0.2.45 Port=443`
CIDR notation	`\b(?<IPv4>\d{1,3}(?:\.\d{1,3}){3})\/(?<Mask>\d{1,2})\b`	`10.0.0.0/24`	`IPv4=10.0.0.0 Mask=24`
Internal IPprivate + loopback + link-local	`^(?<InternalIP>(?:127\.\|10\.\|172\.(?:1[6-9]\|2\d\|3[01])\.\|192\.168\.\|169\.254\.)\d{1,3}\.\d{1,3}(?:\.\d{1,3})?)`	`172.18.4.221`	`InternalIP=172.18.4.221`
Private (RFC1918) only	`\b(?<PrivateIP>10(?:\.\d{1,3}){3}\|172\.(?:1[6-9]\|2\d\|3[01])(?:\.\d{1,3}){2}\|192\.168(?:\.\d{1,3}){2})\b`	`172.18.4.221`	`PrivateIP=172.18.4.221`
Loopback (127/8)	`\b(?<Loopback>127\.\d{1,3}\.\d{1,3}\.\d{1,3})\b`	`127.0.0.1`	`Loopback=127.0.0.1`
Link-local (169.254/16)	`\b(?<LinkLocal>169\.254\.\d{1,3}\.\d{1,3})\b`	`169.254.169.254`	`LinkLocal=169.254.169.254`
Multicast (224/4)	`\b(?<Multicast>(?:22[4-9]\|23\d)\.\d{1,3}\.\d{1,3}\.\d{1,3})\b`	`239.255.255.250`	`Multicast=239.255.255.250`

Pattern	Regex	Example match	Captures
IPv6 (any common form)	`(?<IPv6>(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\|::(?:[0-9a-fA-F]{1,4}:){0,6}[0-9a-fA-F]{0,4}\|(?:[0-9a-fA-F]{1,4}:){1,7}:)`	`2001:db8::8a2e:370:7334`	`IPv6=2001:db8::`
IPv6 + port (bracketed)	`\[(?<IPv6>[0-9a-fA-F:]+)\]:(?<Port>\d{1,5})`	`[2001:db8::1]:8080`	`IPv6=2001:db8::1 Port=8080`
IPv6 in URL	`:\/\/\[(?<IPv6>[0-9a-fA-F:]+)\](?::(?<Port>\d{1,5}))?`	`https://[2001:db8::1]:8443/api`	`IPv6=2001:db8::1 Port=8443`

Pattern	Regex	Example match	Captures
FQDN	`\b(?<FQDN>(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,24})\b`	`cdn.api.example.co.uk`	`FQDN=cdn.api.example.co.uk`
First label splitleftmost / rest	`(?<Subdomain>[^.]+)\.(?<Domain>[^\s\/]+)`	`cdn.api.example.com`	`Subdomain=cdn Domain=api.example.com`
Last 2 labelsapex (single-TLD)	`(?<Apex>[a-zA-Z0-9\-]+\.[a-zA-Z]{2,24})$`	`api.example.com`	`Apex=example.com`
Last 3 labelsapex (double-TLD)	`(?<Apex3>[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-]+\.[a-zA-Z]{2,24})$`	`api.example.co.uk`	`Apex3=example.co.uk`
TLD (last label)	`\.(?<TLD>[a-zA-Z]{2,24})(?=[\/:?\s]\|$)`	`example.com`	`TLD=com`
TLDdouble-TLD aware	`\.(?<TLD>(?:co\|com\|gov\|ac\|org\|net\|edu\|or\|ne)\.(?:uk\|au\|jp\|br\|cn\|tr\|mx\|sg\|hk\|nz\|za\|kr\|id\|in)\|[a-zA-Z]{2,24})(?=[\/:?\s]\|$)`	`example.co.uk`	`TLD=co.uk`
Punycode / IDN	`\b(?<Punycode>xn--[a-zA-Z0-9\-]+(?:\.[a-zA-Z]{2,24})+)\b`	`xn--gogle-zwa.com`	`Punycode=xn--gogle-zwa.com`
Email split	`\b(?<Local>[A-Za-z0-9._%+\-]+)@(?<Domain>[A-Za-z0-9.\-]+\.[A-Za-z]{2,24})\b`	`alice.smith@corp.example.com`	`Local=alice.smith Domain=corp.example.com`

Pattern	Regex	Example match	Captures
URLall parts named	`(?<Scheme>[a-z][a-z0-9+.\-]):\/\/(?:(?<User>[^:@\/\s]+)(?::(?<Pass>[^@\/\s]+))?@)?(?<Host>[a-zA-Z0-9.\-]+\|\[[0-9a-fA-F:]+\])(?::(?<Port>\d{1,5}))?(?<Path>\/[^\s?#\'"<>])?(?:\?(?<Query>[^\s#\'"<>]))?(?:#(?<Fragment>[^\s\'"<>]))?`	`https://api.example.com:8443/v1/users?id=42#profile`	`Scheme=https Host=api.example.com Port=8443 Path=/v1/users Query=id=42 Fragment=profile`
URL sluglast path segment	`\/(?<Slug>[^\/?#\s]+)(?=[?#]\|\s\|$)`	`/products/widget-x123`	`Slug=widget-x123`
Query parameter pair	`[?&](?<Key>[a-zA-Z0-9_\-]+)=(?<Value>[^&#\s\'"<>]*)`	`?id=42&user=alice`	`Key=id Value=42 (× 2 matches in example)`
URL with embedded creds	`(?<Scheme>https?\|ftps?\|sftp\|scp\|smb\|ssh\|telnet\|rsync\|postgres(?:ql)?\|mysql\|mongodb(?:\+srv)?\|redis\|mssql\|jdbc:[a-z]+):\/\/(?<User>[^:@\/\s]*):(?<Pass>[^@\/\s]+)@(?<Host>[a-zA-Z0-9.\-]+)`	`postgresql://admin:S3cret!@db.corp.example.com:5432/billing`	`Scheme=postgresql User=admin Pass=S3cret! Host=db.corp.example.com`
Host onlyafter scheme	`(?<=:\/\/)(?<Host>[a-zA-Z0-9.\-]+)(?=[\/:?#\s]\|$)`	`https://cdn.example.com/asset`	`Host=cdn.example.com`

Pattern	Regex	Example match	Captures
Windows pathdecomposed	`(?<WinPath>(?<Drive>[A-Za-z]):\\(?<Dir>(?:[^<>:"\/\\\|?\r\n]+\\))(?<Filename>[^<>:"\/\\\|?*\r\n]+)\.(?<Ext>[A-Za-z0-9]+))`	`C:\Users\Public\update.exe`	`WinPath=C:\Users\Public\update.exe Drive=C Dir=Users\Public\ Filename=update Ext=exe`
UNC path	`\\\\(?<Server>[A-Za-z0-9.\-_]+)\\(?<Share>[A-Za-z0-9$\-_]+)(?:\\(?<UNCPath>[^<>:"\/\|?*\r\n]+))?`	`\\fs01\IT$\install\loader.exe`	`Server=fs01 Share=IT$ UNCPath=install\loader.exe`
Linux path	`(?<UnixPath>\/(?:[^\/\0\s]+\/)*(?<Filename>[^\/\0\s]+))`	`/var/log/syslog`	`UnixPath=/var/log/syslog Filename=syslog`
Filename + extension	`\b(?<Filename>[^\\\/:*?"<>\|\r\n]+)\.(?<Ext>[A-Za-z0-9]+)\b`	`payload.exe`	`Filename=payload Ext=exe`
Double extension	`(?<Base>[^\\\/:"*?<>\|\r\n]+)\.(?<FakeExt>pdf\|docx?\|xlsx?\|pptx?\|txt\|jpg\|jpeg\|png\|gif\|html?\|zip\|rar\|csv\|mp[34])\.(?<RealExt>exe\|dll\|ps1\|bat\|cmd\|vbs\|js\|wsf\|hta\|scr\|cpl\|lnk\|com\|msi\|jar\|sh)\b`	`invoice.pdf.exe`	`Base=invoice FakeExt=pdf RealExt=exe`
Hidden folder under \Users\\	`(?i)\\Users\\.*?\\(?<HiddenFolder>\.[^\\\r\n]+)\\`	`C:\Users\bob\.ssh\id_rsa`	`HiddenFolder=.ssh`
Alternate Data Stream	`(?<ADS>[A-Za-z]:\\(?:[^<>:"\/\\\|?\r\n]+\\)[^<>:"\/\\\|?\r\n:]+:(?<Stream>[^<>:"\/\\\|?\r\n]+))`	`C:\Users\bob\notes.txt:hidden.exe`	`ADS=C:\Users\bob\notes.txt:hidden.exe Stream=hidden.exe`

Pattern	Regex	Example match	Captures
Strip \Device\HarddiskVolumeN\\	`^\\Device\\HarddiskVolume\d+(?<Path>[\\\/][^\r\n]+)`	`\Device\HarddiskVolume3\Windows\notepad.exe`	`Path=\Windows\notepad.exe`
Path + filename splitoptional NT prefix	`(?:\\Device\\HarddiskVolume\d+)?(?<FilePath>.+\\)(?<FileName>[^\\\r\n]+)$`	`C:\Users\Bob\Documents\report.pdf`	`FilePath=C:\Users\Bob\Documents\ FileName=report.pdf`
Strip \\?\ namespace	`^\\\\\?\\(?<Path>[A-Z]:\\[^\r\n]+)`	`\\?\C:\Users\Bob\file.txt`	`Path=C:\Users\Bob\file.txt`
Strip \??\ NT object namespace	`^\\\?\?\\(?<Path>[A-Z]:\\[^\r\n]+)`	`\??\C:\Windows\system32\\`	`Path=C:\Windows\system32\\`
Strip any NT prefixuniversal	`^(?:\\Device\\\w+\d*\|\\\\\?\\\|\\\?\?\\\|\\GLOBAL\\\?\?\\)(?<Path>[\\\/A-Z][^\r\n]+)`	`\Device\Mup\server\share`	`Path=\server\share`

Pattern	Regex	Example match	Captures
Credentials all-in-onesingle-regex form	(?i)(?:(?<![A-Za-z])(?<CredVar>aws[_-]?secret[_-]?access[_-]?key\|aws[_-]?session[_-]?token\|azure[_-]?client[_-]?secret\|shared[_-]?access[_-]?signature\|connection[_-]?string\|service[_-]?password\|database[_-]?password\|github[_-]?token\|gitlab[_-]?token\|tenant[_-]?secret\|slack[_-]?token\|bind[_-]?password\|proxy[_-]?password\|ldap[_-]?password\|smtp[_-]?password\|sql[_-]?password\|db[_-]?password\|client[_-]?secret\|private[_-]?key\|access[_-]?token\|refresh[_-]?token\|session[_-]?token\|bearer[_-]?token\|oauth[_-]?token\|auth[_-]?token\|csrf[_-]?token\|sas[_-]?token\|id[_-]?token\|ssh[_-]?key\|x[_-]?api[_-]?key\|api[_-]?token\|api[_-]?key\|mysql[_-]?pwd\|sshpass\|pgpassword\|connstr\|credentials\|credential\|passphrase\|password\|passwd\|webhook\|bearer\|secret\|token\|creds\|cred\|pass\|pwd\|sas\|auth)(?![A-Za-z])\s[=:\s]\s['"]?(?<CredVal>[^\s'"&;\r\n]{4,})\|\s(?<Flag>(?:--\|-\|\/)(?:[a-z]+-)?(?:password\|passwd\|pwd\|pass\|pw)\|(?:--\|-\|\/)p)[:=\s]+['"]?(?<FlagVal>[^\s'"]+)\|\b(?<AtTool>mysql(?:dump\|pump\|sh)?\|7z[a]?\|rar\|unrar\|sshpass)(?:\.exe)?\b[^\r\n]?\s-p(?<AtVal>[^\-\s][^\s'"]{3,})\|(?<UrlScheme>https?\|ftps?\|sftp\|scp\|smb\|ssh\|telnet\|rsync\|postgres(?:ql)?\|mysql\|mongodb(?:\+srv)?\|redis\|mssql\|jdbc:[a-z]+):\/\/(?<UrlUser>[^:@\/\s]):(?<UrlPass>[^@\/\s]+)@\|Authorization:\s(?<AuthType>Bearer\|Basic)\s+(?<AuthVal>[A-Za-z0-9._\-+\/=]+)\|ConvertTo-SecureString\s+['"](?<PSCred>[^'"]+)['"]\s+-AsPlainText\|\s(?:-U\s+\|--user[=\s]+)(?<SMBUser>[^%\s]+)%(?<SMBPass>\S+)\|\s(?:--user\|-u\|--proxy-user)[=\s]+(?<UPUser>[^:\s]+):(?<UPPass>[^\s'"]+)\|\bcmdkey\b[^\r\n]?\/pass:(?<CmdkeyVal>\S+)\|\bsc(?:\.exe)?\b[^\r\n]?\bpassword=\s(?<ScVal>\S+)\|\bnet\s+use\b(?:\s+\S+){1,3}\s+(?<NetUsePass>(?!\/)[^\s\/][^\s])\s+\/user:(?<NetUseUser>\S+)\|\bnet\s+use\b[^\r\n]?\/user:(?<NetUseUser2>\S+)\s+(?<NetUsePass2>(?!\/)[^\s\/][^\s])\|\bnet\s+user\s+(?<NetUserName>\S+)\s+(?<NetUserPass>(?!\/)[^\s\/][^\s])\|\bwmic\b[^\r\n]?\/user:(?<WmicUser>\S+)[^\r\n]?\/password:(?<WmicPass>\S+)\|(?<![A-Za-z0-9])(?:-e\s+\|--from-literal=\|--set(?:-string)?[\s=])(?<ContVar>[A-Za-z_][A-Za-z0-9_\-])=['"]?(?<ContVal>[^\s'"]+)\|\blftp\b[^\r\n]?\s(?:-u\|--user)\s+(?<LftpUser>[^,\s]+),(?<LftpVal>[^\s'"]+)\|\bredis(?:-cli)?\b[^\r\n]*?\s-a\s+['"]?(?<RedisVal>[^\s'"]+))	`plink.exe -ssh user@host -pw S3cret!`	`Flag=-pw FlagVal=S3cret!`
Variable=value credentialfocused: VAR=val / VAR: val only	(?i)(?<![A-Za-z])(?<CredVar>aws[_-]?secret[_-]?access[_-]?key\|aws[_-]?session[_-]?token\|azure[_-]?client[_-]?secret\|shared[_-]?access[_-]?signature\|connection[_-]?string\|service[_-]?password\|database[_-]?password\|github[_-]?token\|gitlab[_-]?token\|tenant[_-]?secret\|slack[_-]?token\|bind[_-]?password\|proxy[_-]?password\|ldap[_-]?password\|smtp[_-]?password\|sql[_-]?password\|db[_-]?password\|client[_-]?secret\|private[_-]?key\|access[_-]?token\|refresh[_-]?token\|session[_-]?token\|bearer[_-]?token\|oauth[_-]?token\|auth[_-]?token\|csrf[_-]?token\|sas[_-]?token\|id[_-]?token\|ssh[_-]?key\|x[_-]?api[_-]?key\|api[_-]?token\|api[_-]?key\|mysql[_-]?pwd\|sshpass\|pgpassword\|connstr\|credentials\|credential\|passphrase\|password\|passwd\|webhook\|bearer\|secret\|token\|creds\|cred\|pass\|pwd\|sas\|auth)(?![A-Za-z])\s[=:\s]\s[\'"]?(?<Credential>[^\s\'"&;\r\n]{4,})	`STRIPE_API_KEY=sk_live_4eC39H`	`CredVar=API_KEY Credential=sk_live_4eC39H`
Short-flag credentialplink/sshpass/sqlcmd/curl/wget/etc.	`(?i)\s(?<Flag>(?:--\|-\|\/)(?:[a-z]+-)?(?:password\|passwd\|pwd\|pass\|pw)\|(?:--\|-\|\/)p)[:=\s]+[\'"]?(?<Credential>[^\s\'"]+)`	`plink.exe -ssh user@host -pw S3cret!`	`Flag=-pw Credential=S3cret!`
Attached short-flagmysql/7z/rar/sshpass -p<value> (no space)	`(?i)\b(?<Tool>mysql(?:dump\|pump\|sh)?\|7z[a]?\|rar\|unrar\|sshpass)(?:\.exe)?\b[^\r\n]*?\s-p(?<Credential>[^\-\s][^\s\'"]{3,})`	`mysql -u admin -pS3cret!Pwd dbname`	`Tool=mysql Credential=S3cret!Pwd`
redis-cli -a	`(?i)\bredis(?:-cli)?\b[^\r\n]*?\s-a\s+[\'"]?(?<Credential>[^\s\'"]+)`	`redis-cli -h cache.local -a R3disPass!`	`Credential=R3disPass!`
User:pass flagcurl/wget -u user:pass / --user / --proxy-user	`(?i)\s(?<Flag>--user\|-u\|--proxy-user)[=\s]+(?<User>[^:\s]+):(?<Credential>[^\s\'"]+)`	`curl --user alice:S3cret! https://api.example.com`	`Flag=--user User=alice Credential=S3cret!`
net user account	`(?i)\bnet\s+user\s+(?<User>\S+)\s+(?<Password>(?!\/)[^\s\/][^\s]*)`	`net user svc_admin S3cret!Pwd /add`	`User=svc_admin Password=S3cret!Pwd`
SSH private key flag	`(?i)\bssh\b[^\r\n]*?-i\s+[\'"]?(?<KeyPath>[^\s\'"]+)`	`ssh -i ~/.ssh/id_rsa user@host`	`KeyPath=~/.ssh/id_rsa`
Bearer token (header)	`(?i)Authorization:\s*Bearer\s+(?<Bearer>[A-Za-z0-9._\-]+)`	`Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.payload.sig`	`Bearer=eyJhbGciOiJIUzI1NiJ9.payload.sig`
Basic auth (header)	`(?i)Authorization:\s*Basic\s+(?<BasicAuth>[A-Za-z0-9+\/=]+)`	`Authorization: Basic YWRtaW46c2VjcmV0`	`BasicAuth=YWRtaW46c2VjcmV0`
PowerShell SecureStringplaintext literal	`ConvertTo-SecureString\s+[\'"](?<Credential>[^\'"]+)[\'"]\s+-AsPlainText`	`$p = ConvertTo-SecureString 'P@ssw0rd!' -AsPlainText -Force`	`Credential=P@ssw0rd!`
SMB user%passsmbclient/smbmap	`(?i)\s(?:-U\s+\|--user[=\s]+)(?<User>[^%\s]+)%(?<Password>\S+)`	`smbclient //server/share -U DOMAIN\admin%S3cret!`	`User=DOMAIN\admin Password=S3cret!`
cmdkey /pass:	`(?i)\bcmdkey\b[^\r\n]*?\/pass:(?<Credential>\S+)`	`cmdkey /add:server01 /user:CORP\admin /pass:S3cret!`	`Credential=S3cret!`
sc.exe password=service install/config	`(?i)\bsc(?:\.exe)?\b[^\r\n]?\bpassword=\s(?<Credential>\S+)`	`sc.exe create BackupSvc binpath= C:\bak.exe obj= .\svc password= S3cret!`	`Credential=S3cret!`
net use w/ credsPASS before /user: (canonical)	`(?i)\bnet\s+use\b(?:\s+\S+){1,3}\s+(?<Password>(?!\/)[^\s\/][^\s]*)\s+\/user:(?<User>\S+)`	`net use \\fs01\share Pass123 /user:CORP\admin`	`Password=Pass123 User=CORP\admin`
net use w/ creds/user: before PASS (alt order)	`(?i)\bnet\s+use\b[^\r\n]?\/user:(?<User>\S+)\s+(?<Password>(?!\/)[^\s\/][^\s])`	`net use \\fs01\share /user:CORP\admin Pass123`	`User=CORP\admin Password=Pass123`
lftp -u user,pass	`(?i)\blftp\b[^\r\n]*?\s(?:-u\|--user)\s+(?<User>[^,\s]+),(?<Credential>[^\s\'"]+)`	`lftp -u alice,S3cret!Pwd ftp.example.com`	`User=alice Credential=S3cret!Pwd`
wmic /user: /password:	`(?i)\bwmic\b[^\r\n]?\/user:(?<User>\S+)[^\r\n]?\/password:(?<Password>\S+)`	`wmic /node:HOST /user:admin /password:Pass1 process call create`	`User=admin Password=Pass1`
Container env injectiondocker -e / k8s --from-literal / helm --set	`(?i)(?<![A-Za-z0-9])(?:-e\s+\|--from-literal=\|--set(?:-string)?[\s=])(?<Var>[A-Za-z_][A-Za-z0-9_\-]*)=[\'"]?(?<Credential>[^\s\'"]+)`	`docker run -e MYSQL_ROOT_PASSWORD=R00t! mysql:8`	`Var=MYSQL_ROOT_PASSWORD Credential=R00t!`

Pattern	Regex	Example match	Captures
MD5	`\b(?<MD5>[a-fA-F0-9]{32})\b`	`5d41402abc4b2a76b9719d911017c592`	`MD5=5d41402abc4b2a76b9719d911017c592`
SHA1	`\b(?<SHA1>[a-fA-F0-9]{40})\b`	`aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d`	`SHA1=aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d`
SHA256	`\b(?<SHA256>[a-fA-F0-9]{64})\b`	`2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae`	`SHA256=2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae`
GUID / UUID	`\b(?<GUID>[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12})\b`	`550e8400-e29b-41d4-a716-446655440000`	`GUID=550e8400-e29b-41d4-a716-446655440000`
Windows SID	`\b(?<SID>S-1-(?:0\|1\|2\|3\|4\|5\|9\|11\|12\|15\|16\|18)(?:-\d+)+)\b`	`S-1-5-21-3623811015-3361044348-30300820-1013`	`SID=S-1-5-21-3623811015-3361044348-30300820-1013`
bcrypt hash	`(?<Bcrypt>\$2[abxy]\$\d{2}\$[A-Za-z0-9.\/]{53})`	`$2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy`	`Bcrypt=$2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy`
argon2 hash	`(?<Argon2>\$argon2(?:i\|d\|id)\$v=\d+\$m=\d+,t=\d+,p=\d+\$[A-Za-z0-9+\/=]+\$[A-Za-z0-9+\/=]+)`	`$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RdescudvJCsgt3ub+b+dWRWJTmaaJObG`	`Argon2=$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RdescudvJCsgt3ub+b+dWRWJTmaaJObG`
SHA512crypt hash	`(?<Sha512Crypt>\$6\$(?:rounds=\d+\$)?[A-Za-z0-9.\/]{8,16}\$[A-Za-z0-9.\/]{86})`	`$6$rounds=5000$saltvalu1$ABcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./abcdefghij1234567890abcde`	`Sha512Crypt=$6$rounds=5000$saltvalu1$ABcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./abcdefghij1234567890ab`

Pattern	Regex	Example match	Captures
PowerShell EncodedCommandobfuscation-resistant	[`][\-\/–—][^A-Za-z]e[ncodema"`\'\s]*\s+(?<EncodedCommand>[A-Za-z0-9+\/="`\'\s]+)	pwsh -e`n`c`o`d`e`d JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAA=	`EncodedCommand=JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAA=`
Base64standard	`(?:[A-Za-z0-9+\/]{4}){8,}(?:[A-Za-z0-9+\/]{2}==\|[A-Za-z0-9+\/]{3}=)?`	`SGVsbG8gV29ybGQhIFRoaXMgaXMgYSB0ZXN0Lg==`	`(full match)`
Base64URL-safe	`(?:[A-Za-z0-9_\-]{4}){8,}={0,2}`	`dGhpcy1pcy1hLXVybC1zYWZlLWJhc2U2NC1leGFtcGxl`	`(full match)`
Base64 PowerShell prefixUTF-16LE encoded command	`\b(?<PSEncoded>(?:JAB\|SQB\|IAA\|PAA\|JgB\|cwB\|aQB\|YwB\|RQB)[A-Za-z0-9+\/=]{20,})\b`	`JABjAGwAaQBlAG4AdAA9AE4AZQB3AC0ATwBiAGoAZQBjAHQA`	`PSEncoded=JABjAGwAaQBlAG4AdAA9AE4AZQB3AC0ATwBiAGoAZQBjAHQA`
Hex blob	`\b(?<Hex>[a-fA-F0-9]{64,})\b`	`4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000`	`Hex=4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000`
Hex escaped (\xNN)	`(?:\\x[a-fA-F0-9]{2}){8,}`	`\x4d\x5a\x90\x00\x03\x00\x00\x00`	`(full match)`
Hex C-array (0xNN,)	`(?:0x[a-fA-F0-9]{1,2},\s*){8,}0x[a-fA-F0-9]{1,2}`	`0x4d, 0x5a, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0xff`	`(full match)`
URL-encoded run	`(?:%[0-9a-fA-F]{2}){4,}`	`%63%6d%64%2e%65%78%65%20%2f%63`	`(full match)`
Unicode escape (\uNNNN)	`(?:\\u[0-9a-fA-F]{4}){4,}`	`\u0063\u006d\u0064\u002e\u0065\u0078\u0065`	`(full match)`