rule M_Hunting_TANKTRAP_XML_1 {
	meta:
		author = "Mandiant"
		description = "Strings associated TANKTRAP XML GPO policy"
	strings:
		$r1 = /ImmediateTask clsid=\"\{9F030D12-DDA3-4C26-8548-B7CE9151166A\}\" name=\"[a-zA-Z]{5}\"/
	condition:
		filesize < 5MB and all of them
}