reference absolute stream path on Windows

rule:
  meta:
    name: reference absolute stream path on Windows
    namespace: host-interaction/file-system
    authors:
      - blas.kojusner@mandiant.com
      - william.ballenthin@mandiant.com
    scopes:
      static: basic block
      dynamic: call
    references:
      - https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
    examples:
      - 51828683DC26BFABD3994494099AE97D:0x11A9
  features:
    - and:
      - string: /^(\\\\\?\\)?([\w]\:|\\)(\\((?![\<\>\"\/\|\*\?\:\\])[\x20-\x5B\x5D-\x7E])+)+\:\$?[a-zA-Z0-9_]+/
        # ^(\\\\\?\\)? -> Check for path starting with "\\?\"
        # ([\w]\:|\\) -> Check for absolute path beginning
        # (\\((?![\<\>\"\/\|\*\?\:\\])[\x20-\x5B\x5D-\x7E])+)+ -> Check for valid path and filename
        #   \\ -> Check for double backslash path separator
        #   (?![\<\>\"\/\|\*\?\:\\]) -> path component must not start with <, >, ", ...
        #   [\x20-\x5B\x5D-\x7E] -> path component must be printable ASCII, except backslash path separator
        # : -> Check for start of stream filename
        # \$?[a-zA-Z0-9_]+ -> Check for valid stream filename
        ### Example Matches:
        ### \\\\server\\share\\file:stream
        ### \\\\server\\share\\dir.ext\\file.ext:stream 
        ### \\\\server\\share\\dir\\file.ext:stream.ext
        ### \\\\?\\C:\\dir1\\dir2\\file:stream
        ### C:\\dir\\file:stream.ext
        ### d:\\myfile.dat:stream1
        ### c:\\string:myfile.dat