rule Windows_Wiper_HERMETICWIPER {
	meta:
		Author = "Elastic Security"
		creation_date = "2022-02-24"
		last_modified = "2022-02-24"
		os = "Windows"
		arch = "x86"
		category_type = "Wiper"
		family = "HERMETICWIPER"
		threat_name = "Windows.Wiper.HERMETICWIPER"
		description = "Detects HERMETICWIPER used to target Ukrainian organization"
		reference_sample = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
	strings:
		$a1 = "\\\\?\\C:\\Windows\\System32\\winevt\\Logs" wide fullword
		$a2 = "\\\\.\\EPMNTDRV\\%u" wide fullword
		$a3 = "tdrv.pdb" ascii fullword
		$a4 = "%s%.2s" wide fullword
		$a5 = "ccessdri" ascii fullword
		$a6 = "Hermetica Digital"
	condition:
		all of them
}