From 95b6adf3b9edcda08566efa56c5cd11f27b715eb Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Tue, 16 Mar 2021 16:27:09 +0100
Subject: [PATCH 1/2] rule: cryptominer rule

---
 yara/mal_exchange_cryptominer.yar | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 yara/mal_exchange_cryptominer.yar

diff --git a/yara/mal_exchange_cryptominer.yar b/yara/mal_exchange_cryptominer.yar
new file mode 100644
index 0000000..1049734
--- /dev/null
+++ b/yara/mal_exchange_cryptominer.yar
@@ -0,0 +1,14 @@
+rule MAL_Exchange_CryptoMiner_Mar21_1 {
+   meta:
+      description = "Detects Cryptominer activity exploiting exchange vulnerability"
+      author = "Florian Roth"
+      date = "2021-03-16"
+      reference = "https://twitter.com/ollieatnccgroup/status/1371840592246870023"
+      score = 60
+   strings:
+      $s1 = "wmic.exe product where"
+      $s2 = "%Antivirus%"
+      $s3 = "call uninstall /noninteractive"
+   condition:
+      all of them
+}

From 5534a7d2c1c4b3110a6d791c21e051d1313c0bf8 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Tue, 16 Mar 2021 16:27:36 +0100
Subject: [PATCH 2/2] fix: rule string casing

---
 yara/mal_exchange_cryptominer.yar | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yara/mal_exchange_cryptominer.yar b/yara/mal_exchange_cryptominer.yar
index 1049734..b8d087b 100644
--- a/yara/mal_exchange_cryptominer.yar
+++ b/yara/mal_exchange_cryptominer.yar
@@ -7,7 +7,7 @@ rule MAL_Exchange_CryptoMiner_Mar21_1 {
       score = 60
    strings:
       $s1 = "wmic.exe product where"
-      $s2 = "%Antivirus%"
+      $s2 = "%AntiVirus%"
       $s3 = "call uninstall /noninteractive"
    condition:
       all of them