Powershell Regex: Match on entire string if it contains a period that is not at the beginning nor the end

Question

I've been stuck on this for about 2 days now. Unfortunately I may only use powershell (which I'm not good at). I want to match the following criteria using regex:

hxxp://www[.]website[.]org

google.com

www.google[.]com

foob://geller.xyz

hxxps://website[.]net/tree/branch/etc

I'm looking at urls & domains (for IOCs) that are fanged and defanged. The url/domain are of all different formats except they always include a anycharacter.anycharacter . I thought the best way to match would be if the string has a period with characters on both sides to then match with the beginning and end of the string. The closest I have come is:

^.*\b[^.]+$\b

However, I'm not getting positive results with anything I've tried. I would appreciate if anyone has any ideas. To show that I'm not lazy here's what I've got for the other IOCs (I'm just stuck on this one):

#Select a file with a dialog. TXT only

Add-Type -AssemblyName System.Windows.Forms
$FileBrowser = New-Object System.Windows.Forms.OpenFileDialog -Property @{
    InitialDirectory = [Environment]::GetFolderPath('Desktop')
    Filter = 'TXT (*.txt)|*.txt'
}
[void]$FileBrowser.ShowDialog()
$FileBrowser.FileNames

#Sets file & applies set string while creating first ouput file

#First regex matches IPV4 <-- works well!
$input_path = $FileBrowser.FileNames
$output_file = ‘C:\Users\output.csv'
$regex = ‘\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b’
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file


#Second regex2 matches  domains  <- is a problem
$regex2 = '\b^.*[^.]+$\b'
select-string $input_path -Pattern $regex2 -AllMatches | % { $_.Matches } | % { $_.Value } | Out-File -FilePath C:\Users\01100\Desktop\Folder\output.csv -Append

#Third matches any file extension <--- works well!
$regex3 = '^\.[a-zA-Z0-9]+$'
select-string $input_path -Pattern $regex3 -AllMatches | % { $_.Matches } | % { $_.Value } | Out-File -FilePath C:\Users\01100\Desktop\Folder\output.csv -Append

#Fourth matches any hash  <--- works well!
$regex4 = '[A-Fa-f0-9]{15,}'
select-string $input_path -Pattern $regex4 -AllMatches | % { $_.Matches } | % { $_.Value } | Out-File -FilePath C:\Users\01100\Desktop\Folder\output.csv -Append

#Fifth matches defanged IPs  <---works well!
$regex5 = '\b\d{1,3}[^b]\.[^b]\d{1,3}[^b]\.[^b]\d{1,3}[^b]\.[^b]\d{1,3}\b'
select-string $input_path -Pattern $regex5 -AllMatches | % { $_.Matches } | % { $_.Value } | Out-File -FilePath C:\Users\01100\Desktop\Folder\output.csv -Append

Answer 1

If I understand correctly, you want to match all lines that represent a domain name or url? You will find out, that is not a trivial matter. There exist various examples of regular expressions to validate domain names or urls (look for example here or here). But the more accurate they are required to be, the more complex they will become.

In your case, it will be even more difficult, because you have different formats (sometimes with or without scheme, or query string).

How accurate your regex needs to be depends on your use case and how much work you are willing to put into it. Based on your example and your question title, I suppose you want a very basic version.

I suggest this one, it should work for the most common cases:

'^([a-z0–9-]+://)?([a-z0–9-]+\.)+[a-z0–9-]+(/.*)?$'

Short explanation:

([a-z0–9-]+://)? check for optional schema at the start (no particular one)

([a-z0–9-]+\.)+[a-z0–9]+ domain incl. optional subdomains, followed by top-level-domain

(/.*)? match optional query string (without validation)

If you need more accuracy, you can use this regex as a first step to filter the input, and then perform further tests on the input strings. You could validate if it's a valid url, or check if the domain name exists.

Answer 2

If you are using brackets as a standard for defanged URL/URI, then just look for those. If they are not there, then of course the URL/URL is still hot.

Clear-Host
(@'
hxxp://www[.]website[.]org

google.com

www.google[.]com

foob://geller.xyz

hxxps://website[.]net/tree/branch/etc

.foob://geller.xyz
foob://geller.xyz.
'@) -split "`n" | 
ForEach-Object {
    $Url = $PSitem
    Try {Write-Warning -Message "Defanged URL $(([regex]::Matches($Url, '.*\[\.\].*').Value))"}
    Catch {Write-Verbose "Fanged URL : $Url" -Verbose}
}
# Results
<#
WARNING: Defanged URL hxxp://www[.]website[.]org
VERBOSE: Fanged URL : 
VERBOSE: Fanged URL : google.com
VERBOSE: Fanged URL : 
WARNING: Defanged URL www.google[.]com
VERBOSE: Fanged URL : 
VERBOSE: Fanged URL : foob://geller.xyz
VERBOSE: Fanged URL : 
WARNING: Defanged URL hxxps://website[.]net/tree/branch/etc
VERBOSE: Fanged URL : 
VERBOSE: Fanged URL : .foob://geller.xyz
VERBOSE: Fanged URL : foob://geller.xyz.
#>

If you are just trying to exclude the strings with a 'period' at the beginning or end of a string, regardless of what the string is, then this is a working example of that, utilizing RegEx 'not' expression.

Clear-Host
(@'
hxxp://www[.]website[.]org

google.com

www.google[.]com

foob://geller.xyz

hxxps://website[.]net/tree/branch/etc

.foob://geller.xyz
foob://geller.xyz.
'@) -split "`n" | 
ForEach-Object {
Try{([regex]::Matches($PSitem, '^((?!(((^\..*)|(.*\.$)))).)*$')).Value}
Catch{}
}
# Results
<#
hxxp://www.website.org
google.com
www.google.com
foob://geller.xyz
hxxps://website.net/tree/branch/etc
#>

...or doing the reverse, then:

Clear-Host
(@'
hxxp://www[.]website[.]org

google.com

www.google[.]com

foob://geller.xyz

hxxps://website[.]net/tree/branch/etc

.foob://geller.xyz
foob://geller.xyz.
'@) -split "`n" | 
ForEach-Object {
Try{([regex]::Matches($PSitem, '^((^\..*|(.*\.$)))')).Value}
Catch{}
}
# Results
<#
.foob://geller.xyz
foob://geller.xyz.
#>

Or skip all the RegEx altogether and say this..

Clear-Host
(@'
hxxp://www[.]website[.]org

google.com

www.google[.]com

foob://geller.xyz

hxxps://website[.]net/tree/branch/etc

.foob://geller.xyz
foob://geller.xyz.
'@) -split "`n" | 
ForEach-Object {
    If($PSItem[0] -eq '.' -or $PSItem[-1] -eq '.'){}
    Else {$PSItem}
}
# Results
<#
hxxp://www[.]website[.]org

google.com

www.google[.]com

foob://geller.xyz

hxxps://website[.]net/tree/branch/etc

 

#>

You could also look to using the .Net namespace to see what is being returned and use the properties to make your decision.

Clear-Host
@'
hxxp://www[.]website[.]org
google.com
www.google[.]com
foob://geller.xyz
hxxps://website[.]net/tree/branch/etc
'@ -split "`n" | 
ForEach {
    Try {($PSItem.trim() -as [System.URI])}
    Catch {$PSItem.Exception.Message}
}
# Results
<#
AbsolutePath   : 
AbsoluteUri    : 
LocalPath      : 
Authority      : 
HostNameType   : 
IsDefaultPort  : 
IsFile         : 
IsLoopback     : 
PathAndQuery   : 
Segments       : 
IsUnc          : 
Host           : 
Port           : 
Query          : 
Fragment       : 
Scheme         : 
OriginalString : google.com
DnsSafeHost    : 
IdnHost        : 
IsAbsoluteUri  : False
UserEscaped    : False
UserInfo       : 

AbsolutePath   : 
AbsoluteUri    : 
LocalPath      : 
Authority      : 
HostNameType   : 
IsDefaultPort  : 
IsFile         : 
IsLoopback     : 
PathAndQuery   : 
Segments       : 
IsUnc          : 
Host           : 
Port           : 
Query          : 
Fragment       : 
Scheme         : 
OriginalString : www.google[.]com
DnsSafeHost    : 
IdnHost        : 
IsAbsoluteUri  : False
UserEscaped    : False
UserInfo       : 

AbsolutePath   : /
AbsoluteUri    : foob://geller.xyz/
LocalPath      : /
Authority      : geller.xyz
HostNameType   : Dns
IsDefaultPort  : True
IsFile         : False
IsLoopback     : False
PathAndQuery   : /
Segments       : {/}
IsUnc          : False
Host           : geller.xyz
Port           : -1
Query          : 
Fragment       : 
Scheme         : foob
OriginalString : foob://geller.xyz
DnsSafeHost    : geller.xyz
IdnHost        : geller.xyz
IsAbsoluteUri  : True
UserEscaped    : False
UserInfo       : 
#>