This answer here - https://stackoverflow.com/posts/58483988/revisions (definitely worth reading to understand the ostensible regex rules for yara) - appears to work for about 20 of the given binaries I'm looking for, such as the following:
cuckoo.filesystem.file_access(/^C:\\(.*\\)?dnx\.exe$/i) or
cuckoo.filesystem.file_access(/C\:\\WINDOWS\\system32\\Dxcap.exe/) or
cuckoo.filesystem.file_access(/C\:\\WINDOWS\\system32\\dxcap.exe/) or
cuckoo.filesystem.file_access(/^C:\\Program Files\\(Microsoft Office\\)?(.*\\)?Excel\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files\\(Microsoft Office\\)?(.*\\)?EXCEL\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files\\(Microsoft Office\\)?(.*\\)?excel\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files (x86)\\(Microsoft Office\\)?(.*\\)?Excel\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files (x86)\\(Microsoft Office\\)?(.*\\)?EXCEL\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files (x86)\\(Microsoft Office\\)?(.*\\)?excel\.exe$/i) or
However errors appear to occur with the following line:
cuckoo.filesystem.file_access(/^C:\\Program Files (x86)\\)?(.*\\)?mftrace\.exe$/i) or
that error being, Line 28 syntax error: unexpected ')'
Lines 27, 28 and 29 being:
cuckoo.filesystem.file_access(/^C:\\Program Files (x86)\\(Microsoft Office\\)?(.*\\)?excel\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files (x86)\\)?(.*\\)?mftrace\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files\\)?(.*\\)?mftrace\.exe$/i) or
What error am I making with my yara rules.
To match the following directories:
C:\Program Files (x86)\ * \ mftrace.exe
Where asterisk stands for basically any intermediary path between program files (x86) and mftrace.exe
