rule Windows_Trojan_Octopus_15813e26 { meta: author = "Elastic Security" id = "15813e26-77f8-46cf-a6a3-ae081925b85a" fingerprint = "a3294547f7e3cead0cd64eb3d2e7dbd8ccfc4d9eedede240a643c8cd114cbcce" creation_date = "2021-11-10" last_modified = "2022-01-13" description = "Identifies Octopus, an Open source pre-operation C2 server based on Python and PowerShell" threat_name = "Windows.Trojan.Octopus" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "windows" strings: $a = "C:\\Users\\UNKNOWN\\source\\repos\\OctopusUnmanagedExe\\OctopusUnmanagedExe\\obj\\x64\\Release\\SystemConfiguration.pdb" ascii fullword condition: all of them }