rule YARA_Detect_WindowsDefender_AVEmulator
{
    meta:
        description = "Goat files inside Defender AV Emulator's file system. Often used in PE malware as an evasion technique to evade executing in Windows Defender's AV Emulator."
        author = "@albertzsigovits"
        date = "2024-07-10"
        reference = "https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Alexei-Bulazel-Reverse-Engineering-Windows-Defender-Updated.pdf"
        sha256 = "eb80da614515ff14b3fc312bef38b0d765ce3f4356db5b7b301a3b7c47f7c311"

    strings:
        $ = "\\INTERNAL\\__empty" ascii wide
        $ = "myapp.exe" ascii wide
        $ = "aaa_TouchMeNot_.txt" ascii wide
    condition:
        uint16(0) == 0x5A4D
        and uint32(uint32(0x3C)) == 0x00004550
        and 2 of them
}