compiled with pyarmor

rule:
  meta:
    name: compiled with pyarmor
    namespace: compiler/pyarmor
    authors:
      - "@stvemillertime, @itreallynick"
    scopes:
      static: file
      dynamic: file
    att&ck:
      - Execution::Command and Scripting Interpreter::Python [T1059.006]
      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]
    references:
      - https://twitter.com/stvemillertime/status/1349032548580483073
    examples:
      - a0fb20bc9aa944c3a0a6c4545c195818
  features:
    - or:
      - string: "pyarmor_runtimesh"
      - string: "PYARMOR"
      - string: "__pyarmor__"
      - string: "PYARMOR_SIGNATURE"