Some file paths match to wrong paths.

[FANGOD]

Like this url: https://www.socinvestigation.com/socgholish-malware-on-the-rise-detection-response/

I got this:

"file_paths": [
            "/all*\") OR (CommandHistory=\"*whoami /all*\")))) OR (ImageFileName=\"*\\\\nltest.exe",
            "/all%'))) or (\"Image\" ilike '%\\nltest.exe",
            "/all'))) or (NewProcessName endswith @'\\nltest.exe",
            "/all`)) OR (process:`*\\nltest.exe",
            "/all*\")) OR (Image=\"*\\\\nltest.exe",
            "/all\"))) or (FolderPath endswith @\"\\nltest.exe",
            "/all*\"))) OR (Image=\"*\\\\nltest.exe",
            "/all'))) || ((Image contains 'nltest.exe",
            "/all*\" OR deviceCustomString1 CONTAINS \"*whoami /all*\"))))) OR (((destinationProcessName ENDSWITH \"*\\\\nltest.exe",
            "/all*)) OR (process_name:*\\\\nltest.exe",
            "/all*\")))) OR (Image=\"*\\nltest.exe"
        ]

I'm not sure if it's from windows_file_path or unix_file_path, but maybe 'windows_file_path' should not allow :*?"<>| (not start)? \/:*?"<>| These are symbols that filenames are not allowed to contain.

In fact, the blank space has brought too many problems.

[fhightower]

Thanks for reporting this, @FANGOD! As your example demonstrates, file path parsing has been a weak point of this library for a while.

Improving file path parsing isn't my top priority right now, but this is definitely something I want to address in the near future. Thanks again for taking the time to report this bug - it's very helpful!