Detects executables signed with stolen, revoked or invalid certificate

rule INDICATOR_KB_CERT_0232466dc95b40ec9d21d9329abfcd5d {
    meta:
         author = "ditekSHen"
         description = "Detects executables signed with stolen, revoked or invalid certificate"
         thumbprint = "fb845245cfbb0ee97e76c775348caa31d74bec4c"
    condition:
        uint16(0) == 0x5a4d and
        for any i in (0..pe.number_of_signatures): (
            pe.signatures[i].subject contains "Martin Prikryl" and
            pe.signatures[i].serial == "02:32:46:6d:c9:5b:40:ec:9d:21:d9:32:9a:bf:cd:5d"
        )
}