/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule POS_bruteforcing_bot
{
meta:
maltype = "botnet"
ref = "https://github.com/reed1713"
reference = "http://www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop"
date = "3/11/2014"
description = "botnet bruteforcing POS terms via RDP"
strings:
$type="Microsoft-Windows-Security-Auditing"
$eventid="4688"
$data="\\AppData\\Roaming\\lsacs.exe"
condition:
all of them
}