├── ConventionEngine.yar ├── Definitive Dossier of Devilish Debug Details - Archived.docx └── README.md /ConventionEngine.yar: -------------------------------------------------------------------------------- 1 | // Rule appendix for the Definitive Dossier of Devilish Debug Details 2 | // Blog link: https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html 3 | // For more info, bother @stvemillertime or the #AdvancedPractices team on Twitter 4 | // Updated on 2019-08-30, initial performance improvements by Florian Roth (@cyb3rops) 5 | import "pe" 6 | // used only in ConventionEngine_Anomaly_OutsideOfDebug 7 | rule ConventionEngine_Keyword_Obfuscat 8 | { 9 | meta: 10 | author = "@stvemillertime" 11 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 12 | sample_md5 = "6724cef5a9a670d68e8ec00b6614997c" 13 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 14 | strings: 15 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}obfuscat[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 16 | condition: 17 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 18 | } 19 | rule ConventionEngine_Keyword_Hook 20 | { 21 | meta: 22 | author = "@stvemillertime" 23 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 24 | sample_md5 = "92156ddfa4c1ec330ffd24ccef127a7a" 25 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 26 | strings: 27 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}hook[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 28 | condition: 29 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 30 | } 31 | rule ConventionEngine_Keyword_Evil 32 | { 33 | meta: 34 | author = "@stvemillertime" 35 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 36 | sample_md5 = "9359b24a96df49972eda1750a35802de" 37 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 38 | strings: 39 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}evil[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 40 | condition: 41 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 42 | } 43 | rule ConventionEngine_Keyword_Inject 44 | { 45 | meta: 46 | author = "@stvemillertime" 47 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 48 | sample_md5 = "081686496db01e44871f4e4a09e35fed" 49 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 50 | strings: 51 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}inject[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 52 | condition: 53 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 54 | } 55 | rule ConventionEngine_Keyword_Trojan 56 | { 57 | meta: 58 | author = "@stvemillertime" 59 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 60 | sample_md5 = "060b2135d69fb33e8fc1c4d2bf7e2899" 61 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 62 | strings: 63 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}trojan[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 64 | condition: 65 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 66 | } 67 | rule ConventionEngine_Keyword_Hide 68 | { 69 | meta: 70 | author = "@stvemillertime" 71 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 72 | sample_md5 = "dd8af240a7a4a81b5f80250b44a778c4" 73 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 74 | strings: 75 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}hide[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 76 | condition: 77 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 78 | } 79 | rule ConventionEngine_Keyword_Anti 80 | { 81 | meta: 82 | author = "@stvemillertime" 83 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 84 | sample_md5 = "d350ae5dc15bcc18fde382b84f4bb3d0" 85 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 86 | strings: 87 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}anti[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 88 | condition: 89 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 90 | } 91 | rule ConventionEngine_Keyword_Payload 92 | { 93 | meta: 94 | author = "@stvemillertime" 95 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 96 | sample_md5 = "10c534cacf65b604c1c2a30341bd2394" 97 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 98 | strings: 99 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}payload[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 100 | condition: 101 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 102 | } 103 | rule ConventionEngine_Keyword_Keylog 104 | { 105 | meta: 106 | author = "@stvemillertime" 107 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 108 | sample_md5 = "1d7fd704fe4e41feff9e3a005ed868d6" 109 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 110 | strings: 111 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}keylog[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 112 | condition: 113 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 114 | } 115 | rule ConventionEngine_Keyword_Bypass 116 | { 117 | meta: 118 | author = "@stvemillertime" 119 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 120 | sample_md5 = "00b8356235e510be95e367a25418b5cc" 121 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 122 | strings: 123 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}bypass[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 124 | condition: 125 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 126 | } 127 | rule ConventionEngine_Keyword_Beacon 128 | { 129 | meta: 130 | author = "@stvemillertime" 131 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 132 | sample_md5 = "798afd5f648774c3133ea5e087efc2c1" 133 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 134 | strings: 135 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}beacon[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 136 | condition: 137 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 138 | } 139 | rule ConventionEngine_Keyword_UAC 140 | { 141 | meta: 142 | author = "@stvemillertime" 143 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 144 | sample_md5 = "2e62974fbce2fc1bbde763b986ad7b77" 145 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 146 | strings: 147 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}uac[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 148 | condition: 149 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 150 | } 151 | rule ConventionEngine_Keyword_Svchost 152 | { 153 | meta: 154 | author = "@stvemillertime" 155 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 156 | sample_md5 = "c1206ba56f7f0c2698adcb3280f345be" 157 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 158 | strings: 159 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}svchost[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 160 | condition: 161 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 162 | } 163 | rule ConventionEngine_Keyword_Svhost 164 | { 165 | meta: 166 | author = "@stvemillertime" 167 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 168 | sample_md5 = "8edf49fd8421edc7f58997bb16961cf4" 169 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 170 | strings: 171 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}svhost[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 172 | condition: 173 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 174 | } 175 | rule ConventionEngine_Keyword_Dropper 176 | { 177 | meta: 178 | author = "@stvemillertime" 179 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 180 | sample_md5 = "4847f692942358aff51b72ffcb3e40ac" 181 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 182 | strings: 183 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}dropper[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 184 | condition: 185 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 186 | } 187 | rule ConventionEngine_Keyword_Attack 188 | { 189 | meta: 190 | author = "@stvemillertime" 191 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 192 | sample_md5 = "d6b1989d9c271b8575326e4fca159ae8" 193 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 194 | strings: 195 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}attack[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 196 | condition: 197 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 198 | } 199 | rule ConventionEngine_Keyword_Encrypt 200 | { 201 | meta: 202 | author = "@stvemillertime" 203 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 204 | sample_md5 = "65746ec8d8488066a129821c27fcbfb3" 205 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 206 | strings: 207 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}encrypt[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 208 | condition: 209 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 210 | } 211 | rule ConventionEngine_Keyword_Exploit 212 | { 213 | meta: 214 | author = "@stvemillertime" 215 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 216 | sample_md5 = "4215d029dd26c29ce3e0cab530979b19" 217 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 218 | strings: 219 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}exploit[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 220 | condition: 221 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 222 | } 223 | rule ConventionEngine_Keyword_Ransom 224 | { 225 | meta: 226 | author = "@stvemillertime" 227 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 228 | sample_md5 = "363bfef1781c107a08f46267f7676579" 229 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 230 | strings: 231 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}ransom[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 232 | condition: 233 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 234 | } 235 | rule ConventionEngine_Keyword_Spy 236 | { 237 | meta: 238 | author = "@stvemillertime" 239 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 240 | sample_md5 = "15db41840f77723aa7e43460d9d3a5cc" 241 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 242 | strings: 243 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}spy[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 244 | condition: 245 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 246 | } 247 | rule ConventionEngine_Keyword_Horse 248 | { 249 | meta: 250 | author = "@stvemillertime" 251 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 252 | sample_md5 = "1aa4a05fa321676b9934cd3aa54a5f95" 253 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 254 | strings: 255 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}horse[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 256 | condition: 257 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 258 | } 259 | rule ConventionEngine_Keyword_CVE 260 | { 261 | meta: 262 | author = "@stvemillertime" 263 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 264 | sample_md5 = "89dd326a64fdd77b467d2db1cc15e8ef" 265 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 266 | strings: 267 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}cve[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 268 | condition: 269 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 270 | } 271 | rule ConventionEngine_Keyword_shellcode 272 | { 273 | meta: 274 | author = "@stvemillertime" 275 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 276 | sample_md5 = "2cd7bc18377abb2464f55453e5bfab20" 277 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 278 | strings: 279 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}shellcode[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 280 | condition: 281 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 282 | } 283 | rule ConventionEngine_Keyword_Fake 284 | { 285 | meta: 286 | author = "@stvemillertime" 287 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 288 | sample_md5 = "124c475d67aa8391f5220efcc64ca5b3" 289 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 290 | strings: 291 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}fake[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 292 | condition: 293 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 294 | } 295 | rule ConventionEngine_Keyword_Backdoor 296 | { 297 | meta: 298 | author = "@stvemillertime" 299 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 300 | sample_md5 = "0017c2bfa513960f9ea4fee46382959b" 301 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 302 | strings: 303 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}backdoor[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 304 | condition: 305 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 306 | } 307 | rule ConventionEngine_Keyword_BDoor 308 | { 309 | meta: 310 | author = "@stvemillertime" 311 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 312 | sample_md5 = "ba08b593250c3ca5c13f56e2ca97d85e" 313 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 314 | strings: 315 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}(bkdoor|bckdoor|backdr)[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 316 | condition: 317 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 318 | } 319 | rule ConventionEngine_Keyword_Zombie 320 | { 321 | meta: 322 | author = "@stvemillertime" 323 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 324 | sample_md5 = "05ce6c5b7e14c34d4e6189dc19675c98" 325 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 326 | strings: 327 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}zombie[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 328 | condition: 329 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 330 | } 331 | rule ConventionEngine_Keyword_Rootkit 332 | { 333 | meta: 334 | author = "@stvemillertime" 335 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 336 | sample_md5 = "8d4c375e452c688b413882365437435b" 337 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 338 | strings: 339 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}rootkit[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 340 | condition: 341 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 342 | } 343 | rule ConventionEngine_Keyword_Fuck 344 | { 345 | meta: 346 | author = "@stvemillertime" 347 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 348 | sample_md5 = "bce1069dd099f15170c5fd05bae921b5" 349 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 350 | strings: 351 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}fuck[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 352 | condition: 353 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 354 | } 355 | rule ConventionEngine_Keyword_LoadDLL 356 | { 357 | meta: 358 | author = "@stvemillertime" 359 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 360 | sample_md5 = "e03f94cf5e3b1df208967a87df13ccb5" 361 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 362 | strings: 363 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}loaddll[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 364 | condition: 365 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 366 | } 367 | rule ConventionEngine_Keyword_Reflect 368 | { 369 | meta: 370 | author = "@stvemillertime" 371 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 372 | sample_md5 = "d4990a8d2ff6f2433acdad04521f85c6" 373 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 374 | strings: 375 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}reflect[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 376 | condition: 377 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 378 | } 379 | rule ConventionEngine_Keyword_Sleep 380 | { 381 | meta: 382 | author = "@stvemillertime" 383 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 384 | sample_md5 = "0ce134d66531d2070b2c7db1ffb0dc6f" 385 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 386 | strings: 387 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}sleep[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 388 | condition: 389 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 390 | } 391 | rule ConventionEngine_Keyword_Sploit 392 | { 393 | meta: 394 | author = "@stvemillertime" 395 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 396 | sample_md5 = "0637c45bdefaa93d26124c1f3899443a" 397 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 398 | strings: 399 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}sploit[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 400 | condition: 401 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 402 | } 403 | rule ConventionEngine_Keyword_Reverse 404 | { 405 | meta: 406 | author = "@stvemillertime" 407 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 408 | sample_md5 = "fccb98a9a510cdcf7c730eba548729de" 409 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 410 | strings: 411 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}reverse[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 412 | condition: 413 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 414 | } 415 | rule ConventionEngine_Keyword_Socket 416 | { 417 | meta: 418 | author = "@stvemillertime" 419 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 420 | sample_md5 = "9c836dcd5251c4c9272b408b486e65db" 421 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 422 | strings: 423 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}socket[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 424 | condition: 425 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 426 | } 427 | rule ConventionEngine_Keyword_PowerShell 428 | { 429 | meta: 430 | author = "@stvemillertime" 431 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 432 | sample_md5 = "33700535591774417e3282f7b40ae8ad" 433 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 434 | strings: 435 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}PowerShell[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 436 | condition: 437 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 438 | } 439 | rule ConventionEngine_Keyword_Infect 440 | { 441 | meta: 442 | author = "@stvemillertime" 443 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 444 | sample_md5 = "fdfea54231be21760b722d5cef32da2a" 445 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 446 | strings: 447 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}infect[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 448 | condition: 449 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 450 | } 451 | rule ConventionEngine_Keyword_Worm 452 | { 453 | meta: 454 | author = "@stvemillertime" 455 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 456 | sample_md5 = "fdfea54231be21760b722d5cef32da2a" 457 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 458 | strings: 459 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}worm[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 460 | condition: 461 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 462 | } 463 | rule ConventionEngine_Keyword_Katz 464 | { 465 | meta: 466 | author = "@stvemillertime" 467 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 468 | sample_md5 = "0512c5a8807e4fdeb662e61d81cd1645" 469 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 470 | strings: 471 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}katz[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 472 | condition: 473 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 474 | } 475 | rule ConventionEngine_Keyword_Mimi 476 | { 477 | meta: 478 | author = "@stvemillertime" 479 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 480 | sample_md5 = "a2bcbcc1465be96fbb957b14f29d1ea4" 481 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 482 | strings: 483 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}mimi[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 484 | condition: 485 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 486 | } 487 | rule ConventionEngine_Keyword_Droper 488 | { 489 | meta: 490 | author = "@stvemillertime" 491 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 492 | sample_md5 = "5410ab108cd251a2db724db762d6606c" 493 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 494 | strings: 495 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}droper[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 496 | condition: 497 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 498 | } 499 | rule ConventionEngine_Keyword_0day 500 | { 501 | meta: 502 | author = "@a_tweeter_user" 503 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 504 | sample_md5 = "e8df15f480b7044cf44faff4273dba8f" 505 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 506 | strings: 507 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}0day[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 508 | condition: 509 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 510 | } 511 | rule ConventionEngine_Keyword_Penetration 512 | { 513 | meta: 514 | author = "@stvemillertime" 515 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 516 | sample_md5 = "5f7796346d22ec5bd8c7b5a2e6caca3c" 517 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 518 | strings: 519 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}penetration[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 520 | condition: 521 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 522 | } 523 | rule ConventionEngine_Keyword_Wiper 524 | { 525 | meta: 526 | author = "@stvemillertime" 527 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 528 | sample_md5 = "3b740cca401715985f3a0c28f851b60e" 529 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 530 | strings: 531 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}wiper[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 532 | condition: 533 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 534 | } 535 | rule ConventionEngine_Keyword_Bootkit 536 | { 537 | meta: 538 | author = "@stvemillertime" 539 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 540 | sample_md5 = "b427a55b62d7f00c532d695c9b04b4d2" 541 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 542 | strings: 543 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}bootkit[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 544 | condition: 545 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 546 | } 547 | rule ConventionEngine_Keyword_Bot 548 | { 549 | meta: 550 | author = "@stvemillertime" 551 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 552 | sample_md5 = "df1e54a3832aff3e714fa2c122aa7ea9" 553 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 554 | strings: 555 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}(bot_|_bot| bot|bot |bot\\|-bot|bot-|\\bot)[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 556 | condition: 557 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 558 | } 559 | rule ConventionEngine_Keyword_Csrss 560 | { 561 | meta: 562 | author = "@stvemillertime" 563 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 564 | sample_md5 = "72e743f7752367b461c42561021eb30d" 565 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 566 | strings: 567 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}csrss[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 568 | condition: 569 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 570 | } 571 | rule ConventionEngine_Keyword_Flood 572 | { 573 | meta: 574 | author = "@stvemillertime" 575 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 576 | sample_md5 = "17a8d440545859444491f2feca7c129f" 577 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 578 | strings: 579 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}flood[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 580 | condition: 581 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 582 | } 583 | rule ConventionEngine_Keyword_Overflow 584 | { 585 | meta: 586 | author = "@stvemillertime" 587 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 588 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 589 | strings: 590 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}overflow[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 591 | condition: 592 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 593 | } 594 | rule ConventionEngine_Keyword_Kali 595 | { 596 | meta: 597 | author = "@stvemillertime" 598 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 599 | sample_md5 = "2cc23a6d971a8dc2093b73f72c2380b4" 600 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 601 | strings: 602 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}kali[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 603 | condition: 604 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 605 | } 606 | rule ConventionEngine_Keyword_Malware 607 | { 608 | meta: 609 | author = "@stvemillertime" 610 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 611 | sample_md5 = "198ee041e8f3eb12a19bc321f86ccb88" 612 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 613 | strings: 614 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}malware[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 615 | condition: 616 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 617 | } 618 | rule ConventionEngine_Keyword_Miner 619 | { 620 | meta: 621 | author = "@stvemillertime" 622 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 623 | sample_md5 = "0409644ae4d1afb21c53339e244b5cc8" 624 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 625 | strings: 626 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}miner[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 627 | condition: 628 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 629 | } 630 | rule ConventionEngine_Keyword_Xmrig 631 | { 632 | meta: 633 | author = "@stvemillertime" 634 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 635 | sample_md5 = "433f936511c2302342f175ad020e34f1" 636 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 637 | strings: 638 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}xmrig[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 639 | condition: 640 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 641 | } 642 | rule ConventionEngine_Keyword_LOL 643 | { 644 | meta: 645 | author = "@stvemillertime" 646 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 647 | sample_md5 = "05486e8707ae94befde0bafd9bee5429" 648 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 649 | strings: 650 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}lol[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 651 | condition: 652 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 653 | } 654 | rule ConventionEngine_Keyword_FUD 655 | { 656 | meta: 657 | author = "@stvemillertime" 658 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 659 | sample_md5 = "07c281acbe2eeb479a73580560cec0b8" 660 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 661 | strings: 662 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}fud[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 663 | condition: 664 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 665 | } 666 | rule ConventionEngine_Keyword_Install 667 | { 668 | meta: 669 | author = "@stvemillertime" 670 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 671 | sample_md5 = "74494aff87db1ef5843cbf8c4d40cab1" 672 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 673 | strings: 674 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}install[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 675 | condition: 676 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 677 | } 678 | rule ConventionEngine_Keyword_Steal 679 | { 680 | meta: 681 | author = "@stvemillertime" 682 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 683 | sample_md5 = "f3f47f3986e9c55d36c49beefa627b54" 684 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 685 | strings: 686 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}steal[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 687 | condition: 688 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 689 | } 690 | rule ConventionEngine_Keyword_Launch 691 | { 692 | meta: 693 | author = "@stvemillertime" 694 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 695 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 696 | strings: 697 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}launch[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 698 | condition: 699 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 700 | } 701 | rule ConventionEngine_Keyword_Downloader 702 | { 703 | meta: 704 | author = "@stvemillertime" 705 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 706 | sample_md5 = "8c843aa6ded2f2cb4a78a8b4534ac063" 707 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 708 | strings: 709 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}downloader[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 710 | condition: 711 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 712 | } 713 | rule ConventionEngine_Keyword_Hack 714 | { 715 | meta: 716 | author = "@stvemillertime" 717 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 718 | sample_md5 = "afe58fee2460947291e93bad9fb095ce" 719 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 720 | strings: 721 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}hack[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 722 | condition: 723 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 724 | } 725 | rule ConventionEngine_Keyword_Kill 726 | { 727 | meta: 728 | author = "@stvemillertime" 729 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 730 | sample_md5 = "6d250a11f68b1fd4ed0505fb2965b6f7" 731 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 732 | strings: 733 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}kill[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 734 | condition: 735 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 736 | } 737 | rule ConventionEngine_Keyword_Implant 738 | { 739 | meta: 740 | author = "@stvemillertime" 741 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 742 | sample_md5 = "40451f20371329b992fb1b85c754d062" 743 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 744 | strings: 745 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}implant[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 746 | condition: 747 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and filesize < 3MB 748 | } 749 | rule ConventionEngine_Keyword_RAT 750 | { 751 | meta: 752 | author = "@stvemillertime" 753 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 754 | sample_md5 = "18244062e6169b79f68d9b413cfd2c04" 755 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 756 | strings: 757 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}(\\rat|rat\\|\srat|\-rat|rat\.|rat\s)[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 758 | $this = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}administrator[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 759 | condition: 760 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and not $this 761 | } 762 | rule ConventionEngine_Keyword_Shell 763 | { 764 | meta: 765 | author = "@stvemillertime" 766 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 767 | sample_md5 = "32a16eff23f6c35e22b0b7d041728f62" 768 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 769 | strings: 770 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}shell[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 771 | $this = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}(shellcode|powershell)[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 772 | condition: 773 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and not $this 774 | } 775 | rule ConventionEngine_Keyword_Admin 776 | { 777 | meta: 778 | author = "@stvemillertime" 779 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 780 | sample_md5 = "67fff57bb44d3458b17f0c7a7a45f405" 781 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 782 | strings: 783 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Admin[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 784 | $this = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}administrator[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 785 | condition: 786 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and not $this 787 | } 788 | rule ConventionEngine_Keyword_Proxy 789 | { 790 | meta: 791 | author = "@stvemillertime" 792 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 793 | sample_md5 = "7486404888b3223ef171a310426b2387" 794 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 795 | strings: 796 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}proxy[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 797 | condition: 798 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 799 | } 800 | rule ConventionEngine_Keyword_Virus 801 | { 802 | meta: 803 | author = "@stvemillertime" 804 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 805 | sample_md5 = "5a537470e936dbb9611f95fb7f136a6e" 806 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 807 | strings: 808 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}virus[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 809 | condition: 810 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 811 | } 812 | rule ConventionEngine_Keyword_Bind 813 | { 814 | meta: 815 | author = "@stvemillertime" 816 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 817 | sample_md5 = "0a2d51b0e58e41407f1a08744f1443b0" 818 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 819 | strings: 820 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}bind[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 821 | condition: 822 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 823 | } 824 | rule ConventionEngine_Keyword_1337 825 | { 826 | meta: 827 | author = "@itsreallynick" 828 | description = "Searching for PE files with PDB path keywords, terms or anomalies. -YOUR BOY CARR" 829 | sample_md5 = "e9ecca14f19fe192fc48e714a649cadd" 830 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 831 | strings: 832 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]?:?\\[\\\s|*\s]?.{0,250}\\[l1]33[7t][\\\s|*\s]?.{0,250}\.pdb\x00/ nocase 833 | condition: 834 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 835 | } 836 | rule ConventionEngine_Keyword_Thinstall 837 | { 838 | meta: 839 | author = "@stvemillertime" 840 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 841 | sample_md5 = "2ef545036c95aab395f3f2a3a0d38a9f" 842 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 843 | strings: 844 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}thinstall[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 845 | condition: 846 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 847 | } 848 | rule ConventionEngine_Keyword_Driver 849 | { 850 | meta: 851 | author = "@stvemillertime" 852 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 853 | sample_md5 = "24a6ec8ebf9c0867ed1c097f4a653b8d" 854 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 855 | strings: 856 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}driver[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 857 | condition: 858 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and filesize < 3MB 859 | } 860 | rule ConventionEngine_Keyword_Client 861 | { 862 | meta: 863 | author = "@stvemillertime" 864 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 865 | sample_md5 = "24a6ec8ebf9c0867ed1c097f4a653b8d" 866 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 867 | strings: 868 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}client[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 869 | condition: 870 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and filesize < 3MB 871 | } 872 | rule ConventionEngine_Keyword_Server 873 | { 874 | meta: 875 | author = "@stvemillertime" 876 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 877 | sample_md5 = "24a6ec8ebf9c0867ed1c097f4a653b8d" 878 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 879 | strings: 880 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}server[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 881 | condition: 882 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and filesize < 3MB 883 | } 884 | rule ConventionEngine_Term_GoogleDrive 885 | { 886 | meta: 887 | author = "@stvemillertime" 888 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 889 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 890 | strings: 891 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}(Google Drive|Google \xd0\xb4\xd0\xb8\xd1\x81\xd0\xba|Google \xe4\xba\x91\xe7\xab\xaf\xe7\xa1\xac\xe7\x9b\x98)[\x00-\xFF] 892 | {0,200}\.pdb\x00/ nocase ascii 893 | condition: 894 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 895 | } 896 | rule ConventionEngine_Term_Windows 897 | { 898 | meta: 899 | author = "@stvemillertime" 900 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 901 | sample_md5 = "25b965b0f56a7dc8a0e2aa7e72778497" 902 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 903 | strings: 904 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\Windows\\[\x00-\xFF]{0,200}\.pdb\x00/ 905 | condition: 906 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 907 | } 908 | rule ConventionEngine_Term_Documents 909 | { 910 | meta: 911 | author = "@stvemillertime" 912 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 913 | sample_md5 = "e766b979aecfc603b561b19e3880a7bc" 914 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 915 | strings: 916 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\\Documents[\x00-\xFF]{0,200}\.pdb\x00/ 917 | $this = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\\Documents and Settings[\x00-\xFF]{0,200}\.pdb\x00/ 918 | condition: 919 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and not $this 920 | } 921 | rule ConventionEngine_Term_DocumentsAndSettings 922 | { 923 | meta: 924 | author = "@stvemillertime" 925 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 926 | sample_md5 = "e766b979aecfc603b561b19e3880a7bc" 927 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 928 | strings: 929 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\\Documents and Settings[\x00-\xFF]{0,200}\.pdb\x00/ 930 | $this = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\\Documents\\[\x00-\xFF]{0,200}\.pdb\x00/ 931 | condition: 932 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and not $this 933 | } 934 | rule ConventionEngine_Term_Dropbox 935 | { 936 | meta: 937 | author = "@stvemillertime" 938 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 939 | sample_md5 = "5d6bfa1a1add10dbd6745ddf915812ed" 940 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 941 | strings: 942 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}dropbox[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 943 | condition: 944 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 945 | } 946 | rule ConventionEngine_Term_OneDrive 947 | { 948 | meta: 949 | author = "@stvemillertime" 950 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 951 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 952 | strings: 953 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}OneDrive[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 954 | condition: 955 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 956 | } 957 | rule ConventionEngine_Term_ConsoleApplication 958 | { 959 | meta: 960 | author = "@stvemillertime" 961 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 962 | sample_md5 = "4840ee7971322e1a6da801643432b25f" 963 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 964 | strings: 965 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}overflow[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 966 | condition: 967 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 968 | } 969 | rule ConventionEngine_Term_WindowsApplication 970 | { 971 | meta: 972 | author = "@stvemillertime" 973 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 974 | sample_md5 = "f097c1b0c8fe178de14717a4fc8f2a91" 975 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 976 | strings: 977 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}WindowsApplication[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 978 | condition: 979 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 980 | } 981 | rule ConventionEngine_Term_WindowsFormsApplication 982 | { 983 | meta: 984 | author = "@stvemillertime" 985 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 986 | sample_md5 = "b51c35d5606c173961b2aa4e6867b40a" 987 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 988 | strings: 989 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}WindowsFormsApplication[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 990 | condition: 991 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 992 | } 993 | rule ConventionEngine_Term_NewFolder 994 | { 995 | meta: 996 | author = "@stvemillertime" 997 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 998 | sample_md5 = "fe23fa6df4d8fb500859f0f76e92552d" 999 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1000 | strings: 1001 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}New Folder[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 1002 | condition: 1003 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1004 | } 1005 | rule ConventionEngine_Term_Copy 1006 | { 1007 | meta: 1008 | author = "@stvemillertime" 1009 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1010 | sample_md5 = "6156214b767254d5282bc7feef950dca" 1011 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1012 | strings: 1013 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}- Copy[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 1014 | condition: 1015 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1016 | } 1017 | rule ConventionEngine_Term_Desktop 1018 | { 1019 | meta: 1020 | author = "@stvemillertime" 1021 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1022 | sample_md5 = "71cdba3859ca8bd03c1e996a790c04f9" 1023 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1024 | strings: 1025 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Desktop[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 1026 | condition: 1027 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1028 | } 1029 | rule ConventionEngine_Term_Users 1030 | { 1031 | meta: 1032 | author = "@stvemillertime" 1033 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1034 | sample_md5 = "09e4e6fa85b802c46bc121fcaecc5666" 1035 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1036 | strings: 1037 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Users[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 1038 | condition: 1039 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1040 | } 1041 | rule ConventionEngine_Term_Users_X 1042 | { 1043 | meta: 1044 | author = "@stvemillertime" 1045 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1046 | sample_md5 = "09e4e6fa85b802c46bc121fcaecc5666" 1047 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1048 | strings: 1049 | $pcre = /RSDS[\x00-\xFF]{20}\/Users\/[\x00-\xFF]{0,500}\.pdb\x00/ nocase ascii 1050 | condition: 1051 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1052 | } 1053 | rule ConventionEngine_Term_VisualStudio 1054 | { 1055 | meta: 1056 | author = "@stvemillertime" 1057 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1058 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1059 | strings: 1060 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Visual Studio[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 1061 | condition: 1062 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1063 | } 1064 | rule ConventionEngine_Term_VmwareHost 1065 | { 1066 | meta: 1067 | author = "@itsreallynick" 1068 | description = "Searching for PE files with PDB path keywords, terms, or anomalies. -YOUR BOY CARR" 1069 | sample_md5 = "2742750991eb6687440ef53a7a93df94" 1070 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1071 | strings: 1072 | $pcre = /RSDS[\x00-\xFF]{20}\\\\vmware-host\\[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 1073 | condition: 1074 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1075 | } 1076 | rule ConventionEngine_Anomaly_Slash 1077 | { 1078 | meta: 1079 | author = "@stvemillertime" 1080 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1081 | sample_md5 = "09e4e6fa85b802c46bc121fcaecc5666" 1082 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1083 | strings: 1084 | $pcre = /RSDS[\x00-\xFF]{20}\/[\x00-\xFF]{0,500}\.pdb\x00/ nocase ascii 1085 | condition: 1086 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1087 | } 1088 | rule ConventionEngine_Anomaly_NonAscii 1089 | { 1090 | meta: 1091 | author = "@stvemillertime" 1092 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1093 | sample_md5 = "07b62497e41898c22e5d5351607aac8e" 1094 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1095 | strings: 1096 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}[^\x00-\x7F]{1,}[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 1097 | condition: 1098 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and filesize < 1MB 1099 | } 1100 | rule ConventionEngine_Anomaly_DriveShare 1101 | { 1102 | meta: 1103 | author = "@stvemillertime" 1104 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1105 | sample_md5 = "e7414d82d69b902b5bc1efd0f3e201d7" 1106 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1107 | strings: 1108 | $pcre = /RSDS[\x00-\xFF]{20}\\.{0,50}\\[a-zA-Z]\$\\[\x00-\xFF]{0,200}\.pdb\x00/ nocase 1109 | condition: 1110 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1111 | } 1112 | rule ConventionEngine_Anomaly_MultiPDB_Double 1113 | { 1114 | meta: 1115 | author = "@stvemillertime" 1116 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1117 | sample_md5 = "013f3bde3f1022b6cf3f2e541d19353c" 1118 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1119 | strings: 1120 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\.pdb\x00/ 1121 | condition: 1122 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre == 2 1123 | } 1124 | rule ConventionEngine_Anomaly_MultiPDB_Triple 1125 | { 1126 | meta: 1127 | author = "@stvemillertime" 1128 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1129 | sample_md5 = "013f3bde3f1022b6cf3f2e541d19353c" 1130 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1131 | strings: 1132 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\.pdb\x00/ 1133 | condition: 1134 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre == 3 1135 | } 1136 | rule ConventionEngine_Anomaly_MultiPDB_Quadruple 1137 | { 1138 | meta: 1139 | author = "@stvemillertime" 1140 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1141 | sample_md5 = "063915c2ac8dcba0c283407ff91e48e1" 1142 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1143 | strings: 1144 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\.pdb\x00/ 1145 | condition: 1146 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre == 4 1147 | } 1148 | rule ConventionEngine_Anomaly_MultiPDB_Quintuple_Plus 1149 | { 1150 | meta: 1151 | author = "@stvemillertime" 1152 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1153 | sample_md5 = "08faf27c5738b34186613b4c98905690" 1154 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1155 | strings: 1156 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\.pdb\x00/ 1157 | condition: 1158 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre >= 5 1159 | } 1160 | rule ConventionEngine_Anomaly_Short_SingleChar 1161 | { 1162 | meta: 1163 | author = "@stvemillertime" 1164 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1165 | sample_md5 = "26f7394147f00ef7c3146ddcafb8f161" 1166 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1167 | strings: 1168 | $pcre = /RSDS[\x00-\xFF]{20}[\x00-\xFF]{1}\.pdb\x00/ 1169 | condition: 1170 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1171 | } 1172 | rule ConventionEngine_Anomaly_Short_DoubleChar 1173 | { 1174 | meta: 1175 | author = "@stvemillertime" 1176 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1177 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1178 | strings: 1179 | $pcre = /RSDS[\x00-\xFF]{20}[\x00-\xFF]{2}\.pdb\x00/ 1180 | condition: 1181 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1182 | } 1183 | rule ConventionEngine_Anomaly_Short_TripleChar 1184 | { 1185 | meta: 1186 | author = "@stvemillertime" 1187 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1188 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1189 | strings: 1190 | $pcre = /RSDS[\x00-\xFF]{20}[\x00-\xFF]{3}\.pdb\x00/ 1191 | condition: 1192 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1193 | } 1194 | rule ConventionEngine_Anomaly_NulledOut 1195 | { 1196 | meta: 1197 | author = "@stvemillertime" 1198 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1199 | sample_md5 = "94218fba95e3f03796dd005a2851b5af" 1200 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1201 | strings: 1202 | $pcre = /RSDS[\x01-\xFF]{16}[\x01-\xFF]{1}\x00\x00\x00[\x00]{10,500}/ 1203 | condition: 1204 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1205 | } 1206 | rule ConventionEngine_Anomaly_NulledOut_DoublePlus 1207 | { 1208 | meta: 1209 | author = "@stvemillertime" 1210 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1211 | sample_md5 = "bf0fea133818387cca7eaef5a52c0aed" 1212 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1213 | strings: 1214 | $pcre = /RSDS[\x01-\xFF]{16}[\x01-\xFF]{1}\x00\x00\x00[\x00]{10,500}/ 1215 | condition: 1216 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre >= 2 1217 | } 1218 | rule ConventionEngine_Anomaly_OutsideOfDebug 1219 | { 1220 | meta: 1221 | author = "@stvemillertime" 1222 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1223 | sample_md5 = "bf0fea133818387cca7eaef5a52c0aed" 1224 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1225 | strings: 1226 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,500}\.pdb\x00/ 1227 | condition: 1228 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_DEBUG].virtual_address == 0 1229 | } 1230 | rule ConventionEngine_Term_Users_User 1231 | { 1232 | meta: 1233 | author = "@stvemillertime" 1234 | description = "Searching for PE files with PDB path keywords, terms or anomalies." 1235 | sample_md5 = "b7c3039203278bc289fd3756571bd468" 1236 | ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" 1237 | strings: 1238 | $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Users\\user[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii 1239 | condition: 1240 | (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre 1241 | } 1242 | -------------------------------------------------------------------------------- /Definitive Dossier of Devilish Debug Details - Archived.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stvemillertime/ConventionEngine/abd9cf2e369ae124aee7dbb4fb121699992e35f3/Definitive Dossier of Devilish Debug Details - Archived.docx -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ConventionEngine 2 | 3 | "ConventionEngine" is a collection of Yara rules looking for PEs with PDB paths that have unique, unusual, or overtly malicious-looking keywords, terms, or other features. For further reading on the context, please see the @FireEye blog series on the subject. 4 | 5 | https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html 6 | 7 | Keywords = string words used by malware developers to organize files, folders and code projects, often describing the functionality of the malware. 8 | 9 | Terms = string words that show up in paths as a result of operating system, software, or user behavior, often indicating that the developer is riding solo or that code project is not being developed for a "enterprise" software product. 10 | 11 | Anomalies = Other things that are less common but are suspicious or indicative of various behaviors. 12 | 13 | See also here: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/definitive_dossier_pdb_yara_appendix.pdf 14 | --------------------------------------------------------------------------------