rule Detect_EventLogTampering: AntiForensic {
    meta: 
        description = "Detect NtLoadDriver and other as anti-forensic"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "NtLoadDriver " fullword ascii
        $2 = "NdrClientCall2" fullword ascii
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and any of them 
}