rule MTI_Hunting_POOLRAT {
	meta:
		author = "Mandiant"
		disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"
		description = "Detects strings found in POOLRAT. "
		md5 = "451c23709ecd5a8461ad060f6346930c"
		date = "10/28/2020"
		version = "1"
	strings:
		$str1 = "name=\"uid\"%s%s%u%s" ascii wide
		$str2 = "name=\"session\"%s%s%u%s" ascii wide
		$str3 = "name=\"action\"%s%s%s%s" ascii wide
		$str4 = "name=\"token\"%s%s%u%s" ascii wide
		$boundary = "--N9dLfqxHNUUw8qaUPqggVTpX-" ascii wide nocase
	condition:
		any of ($str*) or $boundary
}