Sudhanshu Sabharwal

Great JS

Forum|Forum|2 months ago
November 6, 2025
1 reply
2 views

rule Multi_String_IOC : threat_hunting high_confidence
{
    meta:
        description = "Detects artifacts of a known threat by counting IOC strings."
        threat_actor = "APT-42"
    strings:
        $s1 = "persistence_key_01" ascii
        $s2 = "network_beacon_host_id" ascii
        $s3 = { 5A 4C 53 52 45 42 } // Binary marker 'ZL SREB'
        $s4 = "data_exfiltration_tag" wide
    condition:
        // The condition requires at least 3 of the 4 defined strings to be present
        #s1 + #s2 + #s3 + #s4 >= 3
        // Note: #sX counts the number of occurrences of string sX.
}

skl

sudhanshu_sabharwalAuthor

Sudhanshu Sabharwal

rule Multi_String_IOC : threat_hunting high_confidence
{
    meta:
        description = "Detects artifacts of a known threat by counting IOC strings."
        threat_actor = "APT-42"
    strings:
        $s1 = "persistence_key_01" ascii
        $s2 = "network_beacon_host_id" ascii
        $s3 = { 5A 4C 53 52 45 42 } // Binary marker 'ZL SREB'
        $s4 = "data_exfiltration_tag" wide
    condition:
        // The condition requires at least 3 of the 4 defined strings to be present
        #s1 + #s2 + #s3 + #s4 >= 3
        // Note: #sX counts the number of occurrences of string sX.
}

sudhanshu_sabharwalAuthor

Sudhanshu Sabharwal

Great fix

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded