itsreallynick/dailyworkflow.yar

## dailyworkflow.yar
// Background:

rule Hunting_Workflow_Collection_XOML {
	meta:
		author = "Nick Carr - @itsreallynick"
	strings:
		$workflow1 = "<SequentialWorkflowActivity" nocase ascii wide
        $workflow2 = "Code" nocase ascii wide
	condition:
		uint16(0) != 0x5A4D and all of ($workflow*) and new_file
}

rule Hunting_Workflow_Collection_Compiler {
	meta:
		author = "Nick Carr - @itsreallynick"
	strings:
		$workflow1 = "<CompilerInput" nocase ascii wide
        $workflow2 = "<parameters" nocase ascii wide
        $options1 = "<coreAssemblyFileName" nocase ascii wide
        $options2 = "<generate" nocase ascii wide
        $options3 = "languageToUse>CSharp" nocase ascii wide
        $options4 = "<win32Resource" nocase ascii wide
        $options5 = "<embeddedResources" nocase ascii wide
        $options6 = "<assemblyNames" nocase ascii wide
        $options7 = "/System.CodeDom.Compiler" nocase ascii wide
	condition:
		uint16(0) != 0x5A4D and all of ($workflow*) and 4 of ($options*) and new_file
}
	// Background:

	rule Hunting_Workflow_Collection_XOML {
	meta:
	author = "Nick Carr - @itsreallynick"
	strings:
	$workflow1 = "<SequentialWorkflowActivity" nocase ascii wide
	$workflow2 = "Code" nocase ascii wide
	condition:
	uint16(0) != 0x5A4D and all of ($workflow*) and new_file
	}

	rule Hunting_Workflow_Collection_Compiler {
	meta:
	author = "Nick Carr - @itsreallynick"
	strings:
	$workflow1 = "<CompilerInput" nocase ascii wide
	$workflow2 = "<parameters" nocase ascii wide
	$options1 = "<coreAssemblyFileName" nocase ascii wide
	$options2 = "<generate" nocase ascii wide
	$options3 = "languageToUse>CSharp" nocase ascii wide
	$options4 = "<win32Resource" nocase ascii wide
	$options5 = "<embeddedResources" nocase ascii wide
	$options6 = "<assemblyNames" nocase ascii wide
	$options7 = "/System.CodeDom.Compiler" nocase ascii wide
	condition:
	uint16(0) != 0x5A4D and all of ($workflow) and 4 of ($options) and new_file
	}