IOC Sample for Disk Scanning IOCs

The following IOC sample searches for a file that contains vmtoolsd.exe in the file name and C:\Program Files\VMware\VMware Tools in the file path.

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
id="72b85cfa-ea89-4633-983b-c2aa01a2b312"
last-modified="2014-03-12T12:03:59"
xmlns="http://schemas.mandiant.com/2010/ioc">
   <short_description>QA</short_description>
   <authored_by>Smart Sensor Team</authored_by>
   <authored_date>2014-03-12T11:48:50</authored_date>
   <links />
   <definition>
      <Indicator operator="OR"
      id="5be0c2e0-53e0-49e9-842d-75d92d3261b3">
         <Indicator operator="AND"
         id="5be0c2e0-53e0-49e9-842d-75d92d3261b3"> 
	        <IndicatorItem
            id="10ee8b41-3586-41ad-b8ce-90e088706ef4"
            condition="contains">
	           <Context document="FileItem"
               search="FileItem/FilePath" type="mir" />
	           <Content type="string">
               C:\Program Files\VMware\VMware Tools</Content>
	        </IndicatorItem>
	        <IndicatorItem
            id="10ee8b41-3586-41ad-b8ce-90e088706ef4"
            condition="contains">
	           <Context document="FileItem"
               search="FileItem/FileName" type="mir" />
	           <Content type="string">vmtoolsd.exe</Content>
	        </IndicatorItem>	    
	     </Indicator>	
	  </Indicator>	   
   </definition>
</ioc>