Skip to content

Commit dfb43a4

Browse files
[Test Rules] [PR #4515] modified rule: Fake thread with suspicious indicators
1 parent aac667b commit dfb43a4

1 file changed

Lines changed: 11 additions & 7 deletions

File tree

detection-rules/4515_fake_thread_suspicious_indicators.yml

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -121,21 +121,25 @@ source: |
121121
(
122122
any($org_vips,
123123
strings.icontains(body.html.inner_text, .display_name)
124-
or strings.icontains(body.html.inner_text,
125-
strings.concat(.first_name, " ", .last_name)
126-
)
127124
or strings.icontains(body.html.inner_text,
128125
strings.concat(.last_name, ", ", .first_name)
129126
)
127+
or any(regex.extract(.display_name,
128+
'\A(?P<name>.+?)\s*[\((][^))]*[))]\s*\z'
129+
),
130+
strings.icontains(body.html.inner_text, .named_groups["name"])
131+
)
130132
)
131133
or any($org_vips,
132134
strings.icontains(body.plain.raw, .display_name)
133-
or strings.icontains(body.plain.raw,
134-
strings.concat(.first_name, " ", .last_name)
135-
)
136135
or strings.icontains(body.plain.raw,
137136
strings.concat(.last_name, ", ", .first_name)
138137
)
138+
or any(regex.extract(.display_name,
139+
'\A(?P<name>.+?)\s*[\((][^))]*[))]\s*\z'
140+
),
141+
strings.icontains(body.plain.raw, .named_groups["name"])
142+
)
139143
)
140144
),
141145
@@ -204,4 +208,4 @@ detection_methods:
204208
id: "5bdf57da-06d5-51ea-bcf6-4a6be0d461bb"
205209
og_id: "c2e18a57-1f52-544f-bb6d-a578e286cf89"
206210
testing_pr: 4515
207-
testing_sha: 1658ad9fc984cdf4e2a8a85f6af83206ffd6dde1
211+
testing_sha: 3c7644f9963fb214445fd5add76ce8f949a4acf0

0 commit comments

Comments
 (0)