fix: FP

Neo23x0 · Neo23x0 · commit 923992f01b2c · 2025-12-12T10:56:53.000+01:00
diff --git a/yara/react_pocs_indicators_dec25.yar b/yara/react_pocs_indicators_dec25.yar
@@ -93,6 +93,8 @@ rule EXPL_SUSP_JS_POC_Dec25 {
       $xr1 = /process\.mainModule\.require\(["']child_process["']\).{5,40}\(["'](whoami|powershell|\/bin\/sh|\/bin\/bash|wget|curl|cat \/etc\/passwd|uname|id["'])/
    condition:
       1 of them
+      // not XML
+      and not uint16(0) == 0x3c3f
 }
 
 rule EXPL_SUSP_JS_POC_RSC_Detector_Payloads_Dec25 {

Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,8 @@ rule EXPL_SUSP_JS_POC_Dec25 {`
`93`	`93`	`$xr1 = /process\.mainModule\.require\(["']child_process["']\).{5,40}\(["'](whoami\|powershell\|\/bin\/sh\|\/bin\/bash\|wget\|curl\|cat \/etc\/passwd\|uname\|id["'])/`
`94`	`94`	`condition:`
`95`	`95`	`1 of them`
	`96`	`+ // not XML`
	`97`	`+ and not uint16(0) == 0x3c3f`
`96`	`98`	`}`
`97`	`99`
`98`	`100`	`rule EXPL_SUSP_JS_POC_RSC_Detector_Payloads_Dec25 {`