Forest Blizzard APT - File Creation Activity

detection:
    selection_programdata_driver_store:
        TargetFilename|startswith:
            - 'C:\ProgramData\Microsoft\v'
            - 'C:\ProgramData\Adobe\v'
            - 'C:\ProgramData\Comms\v'
            - 'C:\ProgramData\Intel\v'
            - 'C:\ProgramData\Kaspersky Lab\v'
            - 'C:\ProgramData\Bitdefender\v'
            - 'C:\ProgramData\ESET\v'
            - 'C:\ProgramData\NVIDIA\v'
            - 'C:\ProgramData\UbiSoft\v'
            - 'C:\ProgramData\Steam\v'
        TargetFilename|contains:
            - '\prnms003.inf_'
            - '\prnms009.inf_'
    selection_programdata_main:
        TargetFilename|startswith: 'C:\ProgramData\'
    selection_programdata_files_1:
        TargetFilename|endswith:
            - '.save'
            - '\doit.bat'
            - '\execute.bat'
            - '\servtask.bat'
        # Hashes|contains: '7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9' # Uncommon this if you collect hash information inf file events
    selection_programdata_files_2:
        TargetFilename|contains: '\wayzgoose'
        TargetFilename|endswith: '.dll'
    condition: selection_programdata_driver_store or (selection_programdata_main and 1 of selection_programdata_files_*)