DefenderYara/Exploit/Win32/ReverseRDP/Exploit_Win32_ReverseRDP_A.yar

rule Exploit_Win32_ReverseRDP_A{
	meta:
		description = "Exploit:Win32/ReverseRDP.A,SIGNATURE_TYPE_PEHSTR,04 00 04 00 04 00 00 "
		
	strings :
		$a_01_0 = {66 00 61 00 78 00 20 00 28 00 72 00 65 00 64 00 69 00 72 00 65 00 63 00 74 00 65 00 64 00 } //1 fax (redirected
		$a_01_1 = {5c 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 73 00 5c 00 30 00 5c 00 44 00 6f 00 73 00 44 00 65 00 76 00 69 00 63 00 65 00 73 00 5c 00 25 00 30 00 38 00 58 00 2d 00 25 00 30 00 38 00 58 00 5c 00 28 00 6e 00 75 00 6c 00 6c 00 29 00 5c 00 25 00 73 00 } //1 \Sessions\0\DosDevices\%08X-%08X\(null)\%s
		$a_01_2 = {50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 46 00 69 00 6c 00 65 00 73 00 5c 00 48 00 79 00 70 00 65 00 72 00 2d 00 56 00 5c 00 77 00 66 00 73 00 2e 00 65 00 78 00 65 00 } //1 Program Files\Hyper-V\wfs.exe
		$a_01_3 = {46 61 69 6c 65 64 20 74 6f 20 66 69 6e 64 20 46 61 78 20 73 68 61 72 65 64 20 70 72 69 6e 74 65 72 } //1 Failed to find Fax shared printer
	condition:
		((#a_01_0  & 1)*1+(#a_01_1  & 1)*1+(#a_01_2  & 1)*1+(#a_01_3  & 1)*1) >=4
 
}