├── ConventionEngine.yar
├── Definitive Dossier of Devilish Debug Details - Archived.docx
└── README.md


/ConventionEngine.yar:
--------------------------------------------------------------------------------
   1 | // Rule appendix for the Definitive Dossier of Devilish Debug Details
   2 | // Blog link: https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
   3 | // For more info, bother @stvemillertime or the #AdvancedPractices team on Twitter
   4 | // Updated on 2019-08-30, initial performance improvements by Florian Roth (@cyb3rops)
   5 | import "pe"
   6 | // used only in ConventionEngine_Anomaly_OutsideOfDebug
   7 | rule ConventionEngine_Keyword_Obfuscat
   8 | {
   9 |  meta:
  10 |  author = "@stvemillertime"
  11 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
  12 |  sample_md5 = "6724cef5a9a670d68e8ec00b6614997c"
  13 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
  14 |  strings:
  15 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}obfuscat[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
  16 |  condition:
  17 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
  18 | }
  19 | rule ConventionEngine_Keyword_Hook
  20 | {
  21 |  meta:
  22 |  author = "@stvemillertime"
  23 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
  24 |  sample_md5 = "92156ddfa4c1ec330ffd24ccef127a7a"
  25 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
  26 |  strings:
  27 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}hook[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
  28 |  condition:
  29 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
  30 | }
  31 | rule ConventionEngine_Keyword_Evil
  32 | {
  33 |  meta:
  34 |  author = "@stvemillertime"
  35 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
  36 |  sample_md5 = "9359b24a96df49972eda1750a35802de"
  37 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
  38 |  strings:
  39 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}evil[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
  40 |  condition:
  41 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
  42 | }
  43 | rule ConventionEngine_Keyword_Inject
  44 | {
  45 |  meta:
  46 |  author = "@stvemillertime"
  47 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
  48 |  sample_md5 = "081686496db01e44871f4e4a09e35fed"
  49 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
  50 |  strings:
  51 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}inject[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
  52 |  condition:
  53 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
  54 | }
  55 | rule ConventionEngine_Keyword_Trojan
  56 | {
  57 |  meta:
  58 |  author = "@stvemillertime"
  59 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
  60 |  sample_md5 = "060b2135d69fb33e8fc1c4d2bf7e2899"
  61 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
  62 |  strings:
  63 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}trojan[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
  64 |  condition:
  65 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
  66 | }
  67 | rule ConventionEngine_Keyword_Hide
  68 | {
  69 |  meta:
  70 |  author = "@stvemillertime"
  71 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
  72 |  sample_md5 = "dd8af240a7a4a81b5f80250b44a778c4"
  73 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
  74 |  strings:
  75 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}hide[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
  76 |  condition:
  77 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
  78 | }
  79 | rule ConventionEngine_Keyword_Anti
  80 | {
  81 |  meta:
  82 |  author = "@stvemillertime"
  83 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
  84 |  sample_md5 = "d350ae5dc15bcc18fde382b84f4bb3d0"
  85 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
  86 |  strings:
  87 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}anti[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
  88 |  condition:
  89 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
  90 | }
  91 | rule ConventionEngine_Keyword_Payload
  92 | {
  93 |  meta:
  94 |  author = "@stvemillertime"
  95 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
  96 |  sample_md5 = "10c534cacf65b604c1c2a30341bd2394"
  97 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
  98 |  strings:
  99 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}payload[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 100 |  condition:
 101 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 102 | }
 103 | rule ConventionEngine_Keyword_Keylog
 104 | {
 105 |  meta:
 106 |  author = "@stvemillertime"
 107 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 108 |  sample_md5 = "1d7fd704fe4e41feff9e3a005ed868d6"
 109 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 110 |  strings:
 111 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}keylog[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 112 |  condition:
 113 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 114 | }
 115 | rule ConventionEngine_Keyword_Bypass
 116 | {
 117 |  meta:
 118 |  author = "@stvemillertime"
 119 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 120 |  sample_md5 = "00b8356235e510be95e367a25418b5cc"
 121 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 122 |  strings:
 123 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}bypass[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 124 |  condition:
 125 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 126 | }
 127 | rule ConventionEngine_Keyword_Beacon
 128 | {
 129 |  meta:
 130 |  author = "@stvemillertime"
 131 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 132 |  sample_md5 = "798afd5f648774c3133ea5e087efc2c1"
 133 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 134 |  strings:
 135 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}beacon[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 136 |  condition:
 137 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 138 | }
 139 | rule ConventionEngine_Keyword_UAC
 140 | {
 141 |  meta:
 142 |  author = "@stvemillertime"
 143 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 144 |  sample_md5 = "2e62974fbce2fc1bbde763b986ad7b77"
 145 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 146 |  strings:
 147 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}uac[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 148 |  condition:
 149 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 150 | }
 151 | rule ConventionEngine_Keyword_Svchost
 152 | {
 153 |  meta:
 154 |  author = "@stvemillertime"
 155 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 156 |  sample_md5 = "c1206ba56f7f0c2698adcb3280f345be"
 157 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 158 |  strings:
 159 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}svchost[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 160 |  condition:
 161 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 162 | }
 163 | rule ConventionEngine_Keyword_Svhost
 164 | {
 165 |  meta:
 166 |  author = "@stvemillertime"
 167 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 168 |  sample_md5 = "8edf49fd8421edc7f58997bb16961cf4"
 169 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 170 |  strings:
 171 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}svhost[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 172 |  condition:
 173 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 174 | }
 175 | rule ConventionEngine_Keyword_Dropper
 176 | {
 177 |  meta:
 178 |  author = "@stvemillertime"
 179 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 180 |  sample_md5 = "4847f692942358aff51b72ffcb3e40ac"
 181 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 182 |  strings:
 183 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}dropper[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 184 |  condition:
 185 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 186 | }
 187 | rule ConventionEngine_Keyword_Attack
 188 | {
 189 |  meta:
 190 |  author = "@stvemillertime"
 191 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 192 |  sample_md5 = "d6b1989d9c271b8575326e4fca159ae8"
 193 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 194 |  strings:
 195 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}attack[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 196 |  condition:
 197 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 198 | }
 199 | rule ConventionEngine_Keyword_Encrypt
 200 | {
 201 |  meta:
 202 |  author = "@stvemillertime"
 203 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 204 |  sample_md5 = "65746ec8d8488066a129821c27fcbfb3"
 205 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 206 |  strings:
 207 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}encrypt[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 208 |  condition:
 209 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 210 | }
 211 | rule ConventionEngine_Keyword_Exploit
 212 | {
 213 |  meta:
 214 |  author = "@stvemillertime"
 215 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 216 |  sample_md5 = "4215d029dd26c29ce3e0cab530979b19"
 217 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 218 |  strings:
 219 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}exploit[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 220 |  condition:
 221 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 222 | }
 223 | rule ConventionEngine_Keyword_Ransom
 224 | {
 225 |  meta:
 226 |  author = "@stvemillertime"
 227 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 228 |  sample_md5 = "363bfef1781c107a08f46267f7676579"
 229 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 230 |  strings:
 231 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}ransom[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 232 |  condition:
 233 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 234 | }
 235 | rule ConventionEngine_Keyword_Spy
 236 | {
 237 |  meta:
 238 |  author = "@stvemillertime"
 239 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 240 |  sample_md5 = "15db41840f77723aa7e43460d9d3a5cc"
 241 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 242 |  strings:
 243 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}spy[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 244 |  condition:
 245 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 246 | }
 247 | rule ConventionEngine_Keyword_Horse
 248 | {
 249 |  meta:
 250 |  author = "@stvemillertime"
 251 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 252 |  sample_md5 = "1aa4a05fa321676b9934cd3aa54a5f95"
 253 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 254 |  strings:
 255 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}horse[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 256 |  condition:
 257 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 258 | }
 259 | rule ConventionEngine_Keyword_CVE
 260 | {
 261 |  meta:
 262 |  author = "@stvemillertime"
 263 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 264 |  sample_md5 = "89dd326a64fdd77b467d2db1cc15e8ef"
 265 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 266 |  strings:
 267 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}cve[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 268 |  condition:
 269 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 270 | }
 271 | rule ConventionEngine_Keyword_shellcode
 272 | {
 273 |  meta:
 274 |  author = "@stvemillertime"
 275 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 276 |  sample_md5 = "2cd7bc18377abb2464f55453e5bfab20"
 277 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 278 |  strings:
 279 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}shellcode[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 280 |  condition:
 281 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 282 | }
 283 | rule ConventionEngine_Keyword_Fake
 284 | {
 285 |  meta:
 286 |  author = "@stvemillertime"
 287 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 288 |  sample_md5 = "124c475d67aa8391f5220efcc64ca5b3"
 289 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 290 |  strings:
 291 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}fake[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 292 |  condition:
 293 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 294 | }
 295 | rule ConventionEngine_Keyword_Backdoor
 296 | {
 297 |  meta:
 298 |  author = "@stvemillertime"
 299 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 300 |  sample_md5 = "0017c2bfa513960f9ea4fee46382959b"
 301 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 302 |  strings:
 303 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}backdoor[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 304 |  condition:
 305 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 306 | }
 307 | rule ConventionEngine_Keyword_BDoor
 308 | {
 309 |  meta:
 310 |  author = "@stvemillertime"
 311 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 312 |  sample_md5 = "ba08b593250c3ca5c13f56e2ca97d85e"
 313 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 314 |  strings:
 315 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}(bkdoor|bckdoor|backdr)[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 316 |  condition:
 317 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 318 | }
 319 | rule ConventionEngine_Keyword_Zombie
 320 | {
 321 |  meta:
 322 |  author = "@stvemillertime"
 323 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 324 |  sample_md5 = "05ce6c5b7e14c34d4e6189dc19675c98"
 325 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 326 |  strings:
 327 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}zombie[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 328 |  condition:
 329 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 330 | }
 331 | rule ConventionEngine_Keyword_Rootkit
 332 | {
 333 |  meta:
 334 |  author = "@stvemillertime"
 335 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 336 |  sample_md5 = "8d4c375e452c688b413882365437435b"
 337 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 338 |  strings:
 339 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}rootkit[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 340 |  condition:
 341 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 342 | }
 343 | rule ConventionEngine_Keyword_Fuck
 344 | {
 345 |  meta:
 346 |  author = "@stvemillertime"
 347 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 348 |  sample_md5 = "bce1069dd099f15170c5fd05bae921b5"
 349 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 350 |  strings:
 351 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}fuck[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 352 |  condition:
 353 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 354 | }
 355 | rule ConventionEngine_Keyword_LoadDLL
 356 | {
 357 |  meta:
 358 |  author = "@stvemillertime"
 359 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 360 |  sample_md5 = "e03f94cf5e3b1df208967a87df13ccb5"
 361 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 362 |  strings:
 363 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}loaddll[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 364 |  condition:
 365 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 366 | }
 367 | rule ConventionEngine_Keyword_Reflect
 368 | {
 369 |  meta:
 370 |  author = "@stvemillertime"
 371 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 372 |  sample_md5 = "d4990a8d2ff6f2433acdad04521f85c6"
 373 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 374 |  strings:
 375 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}reflect[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 376 |  condition:
 377 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 378 | }
 379 | rule ConventionEngine_Keyword_Sleep
 380 | {
 381 |  meta:
 382 |  author = "@stvemillertime"
 383 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 384 |  sample_md5 = "0ce134d66531d2070b2c7db1ffb0dc6f"
 385 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 386 |  strings:
 387 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}sleep[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 388 |  condition:
 389 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 390 | }
 391 | rule ConventionEngine_Keyword_Sploit
 392 | {
 393 |  meta:
 394 |  author = "@stvemillertime"
 395 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 396 |  sample_md5 = "0637c45bdefaa93d26124c1f3899443a"
 397 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 398 |  strings:
 399 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}sploit[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 400 |  condition:
 401 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 402 | }
 403 | rule ConventionEngine_Keyword_Reverse
 404 | {
 405 |  meta:
 406 |  author = "@stvemillertime"
 407 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 408 |  sample_md5 = "fccb98a9a510cdcf7c730eba548729de"
 409 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 410 |  strings:
 411 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}reverse[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 412 |  condition:
 413 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 414 | }
 415 | rule ConventionEngine_Keyword_Socket
 416 | {
 417 |  meta:
 418 |  author = "@stvemillertime"
 419 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 420 |  sample_md5 = "9c836dcd5251c4c9272b408b486e65db"
 421 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 422 |  strings:
 423 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}socket[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 424 |  condition:
 425 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 426 | }
 427 | rule ConventionEngine_Keyword_PowerShell
 428 | {
 429 |  meta:
 430 |  author = "@stvemillertime"
 431 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 432 |  sample_md5 = "33700535591774417e3282f7b40ae8ad"
 433 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 434 |  strings:
 435 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}PowerShell[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 436 |  condition:
 437 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 438 | }
 439 | rule ConventionEngine_Keyword_Infect
 440 | {
 441 |  meta:
 442 |  author = "@stvemillertime"
 443 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 444 |  sample_md5 = "fdfea54231be21760b722d5cef32da2a"
 445 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 446 |  strings:
 447 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}infect[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 448 |  condition:
 449 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 450 | }
 451 | rule ConventionEngine_Keyword_Worm
 452 | {
 453 |  meta:
 454 |  author = "@stvemillertime"
 455 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 456 |  sample_md5 = "fdfea54231be21760b722d5cef32da2a"
 457 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 458 |  strings:
 459 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}worm[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 460 |  condition:
 461 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 462 | }
 463 | rule ConventionEngine_Keyword_Katz
 464 | {
 465 |  meta:
 466 |  author = "@stvemillertime"
 467 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 468 |  sample_md5 = "0512c5a8807e4fdeb662e61d81cd1645"
 469 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 470 |  strings:
 471 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}katz[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 472 |  condition:
 473 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 474 | }
 475 | rule ConventionEngine_Keyword_Mimi
 476 | {
 477 |  meta:
 478 |  author = "@stvemillertime"
 479 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 480 |  sample_md5 = "a2bcbcc1465be96fbb957b14f29d1ea4"
 481 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 482 |  strings:
 483 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}mimi[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 484 |  condition:
 485 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 486 | }
 487 | rule ConventionEngine_Keyword_Droper
 488 | {
 489 |  meta:
 490 |  author = "@stvemillertime"
 491 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 492 |  sample_md5 = "5410ab108cd251a2db724db762d6606c"
 493 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 494 |  strings:
 495 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}droper[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 496 |  condition:
 497 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 498 | }
 499 | rule ConventionEngine_Keyword_0day
 500 | {
 501 |  meta:
 502 |  author = "@a_tweeter_user"
 503 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 504 |  sample_md5 = "e8df15f480b7044cf44faff4273dba8f"
 505 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 506 |  strings:
 507 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}0day[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 508 |  condition:
 509 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 510 | }
 511 | rule ConventionEngine_Keyword_Penetration
 512 | {
 513 |  meta:
 514 |  author = "@stvemillertime"
 515 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 516 |  sample_md5 = "5f7796346d22ec5bd8c7b5a2e6caca3c"
 517 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 518 |  strings:
 519 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}penetration[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 520 |  condition:
 521 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 522 | }
 523 | rule ConventionEngine_Keyword_Wiper
 524 | {
 525 |  meta:
 526 |  author = "@stvemillertime"
 527 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 528 |  sample_md5 = "3b740cca401715985f3a0c28f851b60e"
 529 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 530 |  strings:
 531 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}wiper[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 532 |  condition:
 533 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 534 | }
 535 | rule ConventionEngine_Keyword_Bootkit
 536 | {
 537 |  meta:
 538 |  author = "@stvemillertime"
 539 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 540 |  sample_md5 = "b427a55b62d7f00c532d695c9b04b4d2"
 541 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 542 |  strings:
 543 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}bootkit[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 544 |  condition:
 545 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 546 | }
 547 | rule ConventionEngine_Keyword_Bot
 548 | {
 549 |  meta:
 550 |  author = "@stvemillertime"
 551 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 552 |  sample_md5 = "df1e54a3832aff3e714fa2c122aa7ea9"
 553 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 554 |  strings:
 555 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}(bot_|_bot| bot|bot |bot\\|-bot|bot-|\\bot)[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 556 |  condition:
 557 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 558 | }
 559 | rule ConventionEngine_Keyword_Csrss
 560 | {
 561 |  meta:
 562 |  author = "@stvemillertime"
 563 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 564 |  sample_md5 = "72e743f7752367b461c42561021eb30d"
 565 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 566 |  strings:
 567 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}csrss[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 568 |  condition:
 569 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 570 | }
 571 | rule ConventionEngine_Keyword_Flood
 572 | {
 573 |  meta:
 574 |  author = "@stvemillertime"
 575 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 576 |  sample_md5 = "17a8d440545859444491f2feca7c129f"
 577 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 578 |  strings:
 579 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}flood[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 580 |  condition:
 581 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 582 | }
 583 | rule ConventionEngine_Keyword_Overflow
 584 | {
 585 |  meta:
 586 |  author = "@stvemillertime"
 587 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 588 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 589 |  strings:
 590 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}overflow[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 591 |  condition:
 592 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 593 | }
 594 | rule ConventionEngine_Keyword_Kali
 595 | {
 596 |  meta:
 597 |  author = "@stvemillertime"
 598 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 599 |  sample_md5 = "2cc23a6d971a8dc2093b73f72c2380b4"
 600 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 601 |  strings:
 602 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}kali[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 603 |  condition:
 604 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 605 | }
 606 | rule ConventionEngine_Keyword_Malware
 607 | {
 608 |  meta:
 609 |  author = "@stvemillertime"
 610 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 611 |  sample_md5 = "198ee041e8f3eb12a19bc321f86ccb88"
 612 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 613 |  strings:
 614 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}malware[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 615 |  condition:
 616 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 617 | }
 618 | rule ConventionEngine_Keyword_Miner
 619 | {
 620 |  meta:
 621 |  author = "@stvemillertime"
 622 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 623 |  sample_md5 = "0409644ae4d1afb21c53339e244b5cc8"
 624 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 625 |  strings:
 626 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}miner[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 627 |  condition:
 628 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 629 | }
 630 | rule ConventionEngine_Keyword_Xmrig
 631 | {
 632 |  meta:
 633 |  author = "@stvemillertime"
 634 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 635 |  sample_md5 = "433f936511c2302342f175ad020e34f1"
 636 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 637 |  strings:
 638 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}xmrig[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 639 |  condition:
 640 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 641 | }
 642 | rule ConventionEngine_Keyword_LOL
 643 | {
 644 |  meta:
 645 |  author = "@stvemillertime"
 646 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 647 |  sample_md5 = "05486e8707ae94befde0bafd9bee5429"
 648 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 649 |  strings:
 650 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}lol[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 651 |  condition:
 652 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 653 | }
 654 | rule ConventionEngine_Keyword_FUD
 655 | {
 656 |  meta:
 657 |  author = "@stvemillertime"
 658 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 659 |  sample_md5 = "07c281acbe2eeb479a73580560cec0b8"
 660 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 661 |  strings:
 662 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}fud[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 663 |  condition:
 664 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 665 | }
 666 | rule ConventionEngine_Keyword_Install
 667 | {
 668 |  meta:
 669 |  author = "@stvemillertime"
 670 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 671 |  sample_md5 = "74494aff87db1ef5843cbf8c4d40cab1"
 672 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 673 |  strings:
 674 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}install[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 675 |  condition:
 676 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 677 | }
 678 | rule ConventionEngine_Keyword_Steal
 679 | {
 680 |  meta:
 681 |  author = "@stvemillertime"
 682 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 683 |  sample_md5 = "f3f47f3986e9c55d36c49beefa627b54"
 684 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 685 |  strings:
 686 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}steal[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 687 |  condition:
 688 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 689 | }
 690 | rule ConventionEngine_Keyword_Launch
 691 | {
 692 |  meta:
 693 |  author = "@stvemillertime"
 694 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 695 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 696 |  strings:
 697 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}launch[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 698 |  condition:
 699 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 700 | }
 701 | rule ConventionEngine_Keyword_Downloader
 702 | {
 703 |  meta:
 704 |  author = "@stvemillertime"
 705 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 706 |  sample_md5 = "8c843aa6ded2f2cb4a78a8b4534ac063"
 707 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 708 |  strings:
 709 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}downloader[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 710 |  condition:
 711 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 712 | }
 713 | rule ConventionEngine_Keyword_Hack
 714 | {
 715 |  meta:
 716 |  author = "@stvemillertime"
 717 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 718 |  sample_md5 = "afe58fee2460947291e93bad9fb095ce"
 719 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 720 |  strings:
 721 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}hack[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 722 |  condition:
 723 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 724 | }
 725 | rule ConventionEngine_Keyword_Kill
 726 | {
 727 |  meta:
 728 |  author = "@stvemillertime"
 729 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 730 |  sample_md5 = "6d250a11f68b1fd4ed0505fb2965b6f7"
 731 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 732 |  strings:
 733 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}kill[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 734 |  condition:
 735 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 736 | }
 737 | rule ConventionEngine_Keyword_Implant
 738 | {
 739 |  meta:
 740 |  author = "@stvemillertime"
 741 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 742 |  sample_md5 = "40451f20371329b992fb1b85c754d062"
 743 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 744 |  strings:
 745 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}implant[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 746 |  condition:
 747 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and filesize < 3MB
 748 | }
 749 | rule ConventionEngine_Keyword_RAT
 750 | {
 751 |  meta:
 752 |  author = "@stvemillertime"
 753 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 754 |  sample_md5 = "18244062e6169b79f68d9b413cfd2c04"
 755 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 756 |  strings:
 757 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}(\\rat|rat\\|\srat|\-rat|rat\.|rat\s)[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 758 |  $this = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}administrator[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 759 |  condition:
 760 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and not $this
 761 | }
 762 | rule ConventionEngine_Keyword_Shell
 763 | {
 764 |  meta:
 765 |  author = "@stvemillertime"
 766 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 767 |  sample_md5 = "32a16eff23f6c35e22b0b7d041728f62"
 768 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 769 |  strings:
 770 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}shell[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 771 |  $this = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}(shellcode|powershell)[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 772 |  condition:
 773 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and not $this
 774 | }
 775 | rule ConventionEngine_Keyword_Admin
 776 | {
 777 |  meta:
 778 |  author = "@stvemillertime"
 779 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 780 |  sample_md5 = "67fff57bb44d3458b17f0c7a7a45f405"
 781 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 782 |  strings:
 783 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Admin[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 784 |  $this = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}administrator[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 785 |  condition:
 786 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and not $this
 787 | }
 788 | rule ConventionEngine_Keyword_Proxy
 789 | {
 790 |  meta:
 791 |  author = "@stvemillertime"
 792 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 793 |  sample_md5 = "7486404888b3223ef171a310426b2387"
 794 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 795 |  strings:
 796 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}proxy[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 797 |  condition:
 798 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 799 | }
 800 | rule ConventionEngine_Keyword_Virus
 801 | {
 802 |  meta:
 803 |  author = "@stvemillertime"
 804 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 805 |  sample_md5 = "5a537470e936dbb9611f95fb7f136a6e"
 806 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 807 |  strings:
 808 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}virus[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 809 |  condition:
 810 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 811 | }
 812 | rule ConventionEngine_Keyword_Bind
 813 | {
 814 |  meta:
 815 |  author = "@stvemillertime"
 816 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 817 |  sample_md5 = "0a2d51b0e58e41407f1a08744f1443b0"
 818 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 819 |  strings:
 820 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}bind[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 821 |  condition:
 822 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 823 | }
 824 | rule ConventionEngine_Keyword_1337
 825 | {
 826 |  meta:
 827 |  author = "@itsreallynick"
 828 |  description = "Searching for PE files with PDB path keywords, terms or anomalies. -YOUR BOY CARR"
 829 |  sample_md5 = "e9ecca14f19fe192fc48e714a649cadd"
 830 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 831 |  strings:
 832 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]?:?\\[\\\s|*\s]?.{0,250}\\[l1]33[7t][\\\s|*\s]?.{0,250}\.pdb\x00/ nocase
 833 |  condition:
 834 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 835 | }
 836 | rule ConventionEngine_Keyword_Thinstall
 837 | {
 838 |  meta:
 839 |  author = "@stvemillertime"
 840 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 841 |  sample_md5 = "2ef545036c95aab395f3f2a3a0d38a9f"
 842 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 843 |  strings:
 844 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}thinstall[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 845 |  condition:
 846 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 847 | }
 848 | rule ConventionEngine_Keyword_Driver
 849 | {
 850 |  meta:
 851 |  author = "@stvemillertime"
 852 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 853 |  sample_md5 = "24a6ec8ebf9c0867ed1c097f4a653b8d"
 854 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 855 |  strings:
 856 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}driver[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 857 |  condition:
 858 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and filesize < 3MB
 859 | }
 860 | rule ConventionEngine_Keyword_Client
 861 | {
 862 |  meta:
 863 |  author = "@stvemillertime"
 864 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 865 |  sample_md5 = "24a6ec8ebf9c0867ed1c097f4a653b8d"
 866 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 867 |  strings:
 868 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}client[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 869 |  condition:
 870 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and filesize < 3MB
 871 | }
 872 | rule ConventionEngine_Keyword_Server
 873 | {
 874 |  meta:
 875 |  author = "@stvemillertime"
 876 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 877 |  sample_md5 = "24a6ec8ebf9c0867ed1c097f4a653b8d"
 878 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 879 |  strings:
 880 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}server[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 881 |  condition:
 882 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and filesize < 3MB
 883 | }
 884 | rule ConventionEngine_Term_GoogleDrive
 885 | {
 886 |  meta:
 887 |  author = "@stvemillertime"
 888 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 889 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 890 |  strings:
 891 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}(Google Drive|Google \xd0\xb4\xd0\xb8\xd1\x81\xd0\xba|Google \xe4\xba\x91\xe7\xab\xaf\xe7\xa1\xac\xe7\x9b\x98)[\x00-\xFF]
 892 | {0,200}\.pdb\x00/ nocase ascii
 893 |  condition:
 894 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 895 | }
 896 | rule ConventionEngine_Term_Windows
 897 | {
 898 |  meta:
 899 |  author = "@stvemillertime"
 900 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 901 |  sample_md5 = "25b965b0f56a7dc8a0e2aa7e72778497"
 902 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 903 |  strings:
 904 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\Windows\\[\x00-\xFF]{0,200}\.pdb\x00/
 905 |  condition:
 906 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 907 | }
 908 | rule ConventionEngine_Term_Documents
 909 | {
 910 |  meta:
 911 |  author = "@stvemillertime"
 912 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 913 |  sample_md5 = "e766b979aecfc603b561b19e3880a7bc"
 914 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 915 |  strings:
 916 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\\Documents[\x00-\xFF]{0,200}\.pdb\x00/
 917 |  $this = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\\Documents and Settings[\x00-\xFF]{0,200}\.pdb\x00/
 918 |  condition:
 919 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and not $this
 920 | }
 921 | rule ConventionEngine_Term_DocumentsAndSettings
 922 | {
 923 |  meta:
 924 |  author = "@stvemillertime"
 925 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 926 |  sample_md5 = "e766b979aecfc603b561b19e3880a7bc"
 927 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 928 |  strings:
 929 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\\Documents and Settings[\x00-\xFF]{0,200}\.pdb\x00/
 930 |  $this = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\\Documents\\[\x00-\xFF]{0,200}\.pdb\x00/
 931 |  condition:
 932 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and not $this
 933 | }
 934 | rule ConventionEngine_Term_Dropbox
 935 | {
 936 |  meta:
 937 |  author = "@stvemillertime"
 938 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 939 |  sample_md5 = "5d6bfa1a1add10dbd6745ddf915812ed"
 940 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 941 |  strings:
 942 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}dropbox[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 943 |  condition:
 944 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 945 | }
 946 | rule ConventionEngine_Term_OneDrive
 947 | {
 948 |  meta:
 949 |  author = "@stvemillertime"
 950 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 951 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 952 |  strings:
 953 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}OneDrive[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 954 |  condition:
 955 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 956 | }
 957 | rule ConventionEngine_Term_ConsoleApplication
 958 | {
 959 |  meta:
 960 |  author = "@stvemillertime"
 961 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 962 |  sample_md5 = "4840ee7971322e1a6da801643432b25f"
 963 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 964 |  strings:
 965 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}overflow[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 966 |  condition:
 967 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 968 | }
 969 | rule ConventionEngine_Term_WindowsApplication
 970 | {
 971 |  meta:
 972 |  author = "@stvemillertime"
 973 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 974 |  sample_md5 = "f097c1b0c8fe178de14717a4fc8f2a91"
 975 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 976 |  strings:
 977 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}WindowsApplication[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 978 |  condition:
 979 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 980 | }
 981 | rule ConventionEngine_Term_WindowsFormsApplication
 982 | {
 983 |  meta:
 984 |  author = "@stvemillertime"
 985 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 986 |  sample_md5 = "b51c35d5606c173961b2aa4e6867b40a"
 987 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 988 |  strings:
 989 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}WindowsFormsApplication[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
 990 |  condition:
 991 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
 992 | }
 993 | rule ConventionEngine_Term_NewFolder
 994 | {
 995 |  meta:
 996 |  author = "@stvemillertime"
 997 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
 998 |  sample_md5 = "fe23fa6df4d8fb500859f0f76e92552d"
 999 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1000 |  strings:
1001 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}New Folder[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
1002 |  condition:
1003 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1004 | }
1005 | rule ConventionEngine_Term_Copy
1006 | {
1007 |  meta:
1008 |  author = "@stvemillertime"
1009 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1010 |  sample_md5 = "6156214b767254d5282bc7feef950dca"
1011 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1012 |  strings:
1013 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}- Copy[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
1014 |  condition:
1015 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1016 | }
1017 | rule ConventionEngine_Term_Desktop
1018 | {
1019 |  meta:
1020 |  author = "@stvemillertime"
1021 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1022 |  sample_md5 = "71cdba3859ca8bd03c1e996a790c04f9"
1023 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1024 |  strings:
1025 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Desktop[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
1026 |  condition:
1027 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1028 | }
1029 | rule ConventionEngine_Term_Users
1030 | {
1031 |  meta:
1032 |  author = "@stvemillertime"
1033 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1034 |  sample_md5 = "09e4e6fa85b802c46bc121fcaecc5666"
1035 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1036 |  strings:
1037 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Users[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
1038 |  condition:
1039 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1040 | }
1041 | rule ConventionEngine_Term_Users_X
1042 | {
1043 |  meta:
1044 |  author = "@stvemillertime"
1045 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1046 |  sample_md5 = "09e4e6fa85b802c46bc121fcaecc5666"
1047 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1048 |  strings:
1049 |  $pcre = /RSDS[\x00-\xFF]{20}\/Users\/[\x00-\xFF]{0,500}\.pdb\x00/ nocase ascii
1050 |  condition:
1051 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1052 | }
1053 | rule ConventionEngine_Term_VisualStudio
1054 | {
1055 |  meta:
1056 |  author = "@stvemillertime"
1057 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1058 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1059 |  strings:
1060 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Visual Studio[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
1061 |  condition:
1062 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1063 | }
1064 | rule ConventionEngine_Term_VmwareHost
1065 | {
1066 |  meta:
1067 |  author = "@itsreallynick"
1068 |  description = "Searching for PE files with PDB path keywords, terms, or anomalies. -YOUR BOY CARR"
1069 |  sample_md5 = "2742750991eb6687440ef53a7a93df94"
1070 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1071 |  strings:
1072 |  $pcre = /RSDS[\x00-\xFF]{20}\\\\vmware-host\\[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
1073 |  condition:
1074 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1075 | }
1076 | rule ConventionEngine_Anomaly_Slash
1077 | {
1078 |  meta:
1079 |  author = "@stvemillertime"
1080 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1081 |  sample_md5 = "09e4e6fa85b802c46bc121fcaecc5666"
1082 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1083 |  strings:
1084 |  $pcre = /RSDS[\x00-\xFF]{20}\/[\x00-\xFF]{0,500}\.pdb\x00/ nocase ascii
1085 |  condition:
1086 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1087 | }
1088 | rule ConventionEngine_Anomaly_NonAscii
1089 | {
1090 |  meta:
1091 |  author = "@stvemillertime"
1092 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1093 |  sample_md5 = "07b62497e41898c22e5d5351607aac8e"
1094 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1095 |  strings:
1096 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}[^\x00-\x7F]{1,}[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
1097 |  condition:
1098 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and filesize < 1MB
1099 | }
1100 | rule ConventionEngine_Anomaly_DriveShare
1101 | {
1102 |  meta:
1103 |  author = "@stvemillertime"
1104 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1105 |  sample_md5 = "e7414d82d69b902b5bc1efd0f3e201d7"
1106 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1107 |  strings:
1108 |  $pcre = /RSDS[\x00-\xFF]{20}\\.{0,50}\\[a-zA-Z]\$\\[\x00-\xFF]{0,200}\.pdb\x00/ nocase
1109 |  condition:
1110 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1111 | }
1112 | rule ConventionEngine_Anomaly_MultiPDB_Double
1113 | {
1114 |  meta:
1115 |  author = "@stvemillertime"
1116 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1117 |  sample_md5 = "013f3bde3f1022b6cf3f2e541d19353c"
1118 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1119 |  strings:
1120 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\.pdb\x00/
1121 |  condition:
1122 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre == 2
1123 | }
1124 | rule ConventionEngine_Anomaly_MultiPDB_Triple
1125 | {
1126 |  meta:
1127 |  author = "@stvemillertime"
1128 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1129 |  sample_md5 = "013f3bde3f1022b6cf3f2e541d19353c"
1130 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1131 |  strings:
1132 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\.pdb\x00/
1133 |  condition:
1134 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre == 3
1135 | }
1136 | rule ConventionEngine_Anomaly_MultiPDB_Quadruple
1137 | {
1138 |  meta:
1139 |  author = "@stvemillertime"
1140 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1141 |  sample_md5 = "063915c2ac8dcba0c283407ff91e48e1"
1142 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1143 |  strings:
1144 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\.pdb\x00/
1145 |  condition:
1146 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre == 4
1147 | }
1148 | rule ConventionEngine_Anomaly_MultiPDB_Quintuple_Plus
1149 | {
1150 |  meta:
1151 |  author = "@stvemillertime"
1152 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1153 |  sample_md5 = "08faf27c5738b34186613b4c98905690"
1154 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1155 |  strings:
1156 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}\.pdb\x00/
1157 |  condition:
1158 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre >= 5
1159 | }
1160 | rule ConventionEngine_Anomaly_Short_SingleChar
1161 | {
1162 |  meta:
1163 |  author = "@stvemillertime"
1164 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1165 |  sample_md5 = "26f7394147f00ef7c3146ddcafb8f161"
1166 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1167 |  strings:
1168 |  $pcre = /RSDS[\x00-\xFF]{20}[\x00-\xFF]{1}\.pdb\x00/
1169 |  condition:
1170 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1171 | }
1172 | rule ConventionEngine_Anomaly_Short_DoubleChar
1173 | {
1174 |  meta:
1175 |  author = "@stvemillertime"
1176 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1177 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1178 |  strings:
1179 |  $pcre = /RSDS[\x00-\xFF]{20}[\x00-\xFF]{2}\.pdb\x00/
1180 |  condition:
1181 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1182 | }
1183 | rule ConventionEngine_Anomaly_Short_TripleChar
1184 | {
1185 |  meta:
1186 |  author = "@stvemillertime"
1187 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1188 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1189 |  strings:
1190 |  $pcre = /RSDS[\x00-\xFF]{20}[\x00-\xFF]{3}\.pdb\x00/
1191 |  condition:
1192 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1193 | }
1194 | rule ConventionEngine_Anomaly_NulledOut
1195 | {
1196 |  meta:
1197 |  author = "@stvemillertime"
1198 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1199 |  sample_md5 = "94218fba95e3f03796dd005a2851b5af"
1200 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1201 |  strings:
1202 |  $pcre = /RSDS[\x01-\xFF]{16}[\x01-\xFF]{1}\x00\x00\x00[\x00]{10,500}/
1203 |  condition:
1204 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1205 | }
1206 | rule ConventionEngine_Anomaly_NulledOut_DoublePlus
1207 | {
1208 |  meta:
1209 |  author = "@stvemillertime"
1210 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1211 |  sample_md5 = "bf0fea133818387cca7eaef5a52c0aed"
1212 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1213 |  strings:
1214 |  $pcre = /RSDS[\x01-\xFF]{16}[\x01-\xFF]{1}\x00\x00\x00[\x00]{10,500}/
1215 |  condition:
1216 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #pcre >= 2
1217 | }
1218 | rule ConventionEngine_Anomaly_OutsideOfDebug
1219 | {
1220 |  meta:
1221 |  author = "@stvemillertime"
1222 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1223 |  sample_md5 = "bf0fea133818387cca7eaef5a52c0aed"
1224 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1225 |  strings:
1226 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,500}\.pdb\x00/
1227 |  condition:
1228 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre and pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_DEBUG].virtual_address == 0
1229 | }
1230 | rule ConventionEngine_Term_Users_User
1231 | {
1232 |  meta:
1233 |  author = "@stvemillertime"
1234 |  description = "Searching for PE files with PDB path keywords, terms or anomalies."
1235 |  sample_md5 = "b7c3039203278bc289fd3756571bd468"
1236 |  ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
1237 |  strings:
1238 |  $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,200}Users\\user[\x00-\xFF]{0,200}\.pdb\x00/ nocase ascii
1239 |  condition:
1240 |  (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
1241 | }
1242 | 


--------------------------------------------------------------------------------
/Definitive Dossier of Devilish Debug Details - Archived.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stvemillertime/ConventionEngine/abd9cf2e369ae124aee7dbb4fb121699992e35f3/Definitive Dossier of Devilish Debug Details - Archived.docx


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # ConventionEngine
 2 | 
 3 | "ConventionEngine" is a collection of Yara rules looking for PEs with PDB paths that have unique, unusual, or overtly malicious-looking keywords, terms, or other features. For further reading on the context, please see the @FireEye blog series on the subject. 
 4 | 
 5 | https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
 6 | 
 7 | Keywords = string words used by malware developers to organize files, folders and code projects, often describing the functionality of the malware.
 8 | 
 9 | Terms = string words that show up in paths as a result of operating system, software, or user behavior, often indicating that the developer is riding solo or that code project is not being developed for a "enterprise" software product.
10 | 
11 | Anomalies = Other things that are less common but are suspicious or indicative of various behaviors.
12 | 
13 | See also here: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/definitive_dossier_pdb_yara_appendix.pdf
14 | 


--------------------------------------------------------------------------------