WindowsPE

yara LOW Yara-Rules 2026-03-19

community

This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at Yara-Rules →
Retrieved: 2026-03-19T03:46:59Z · Confidence: medium

Hunt Hypothesis

YARA rule: WindowsPE

YARA Rule

rule WindowsPE
{
    condition:
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints
Source Rule

Original source: https://github.com/Yara-Rules/rules/blob/main/antidebug_antivm/antidebug_antivm.yar