rule SpicyHotPot_KMDF_Protect {
	meta:
		description = "SpicyHotPot - KMDF_Protect.sys: Used to identify driver protection and filtering component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "ab0418eb1863c8a2211d06c764f45884c9b7dbd6d1943137fc010b8f3b8d14ae"
	strings:
		$x1 = "wdlogin.exe" wide fullword
		$x2 = "\\Windows\\System32\\cmd.exe" wide fullword
		$x3 = "wuhost.exe" wide fullword
		$x4 = "wrme.exe" wide fullword
		$x5 = "UpdateSelf.exe" ascii fullword
		$x6 = "wccenter.exe" wide fullword
		$s1 = "jCloudScan.dll" wide fullword
		$s2 = "DSFScan.dll" wide fullword
		$s3 = "avescan.dll" wide fullword
		$s4 = "\\Cloudcom2.dll" wide fullword
		$s5 = "\\Cloudcom264.dll" wide fullword
		$s6 = "AVEIEngine.dll" wide fullword
		$s7 = "AVEI.dll" wide fullword
		$s8 = "BAPI.dll" wide fullword
		$s9 = "BAPI64.dll" wide fullword
		$s10 = "360Tray.exe" ascii fullword
		$s11 = "360Safe.exe" ascii fullword
		$s12 = "\\jCloudScan.dll" wide fullword
		$s13 = "\\deepscan64.dll" wide fullword
		$s14 = "\\deepscan.dll" wide fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 1000KB and 2 of ($x*) and 6 of ($s*)
}