stvemillertime/ConventionEngine_Keyword_master.yar

## ConventionEngine_Keyword_master.yar
rule ConventionEngine_Keyword_master
{
 meta:
 author = "@stvemillertime"
 description = "Searching for PE files with PDB path keywords, terms or anomalies."
 sample_md5 = "2c47ed277a3471b8e4c5d396d4119c31"
 ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
 strings:
        $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,500}-master\\[\x00-\xFF]{0,500}\.pdb\x00/ ascii
 condition:
        (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
}
	rule ConventionEngine_Keyword_master
	{
	meta:
	author = "@stvemillertime"
	description = "Searching for PE files with PDB path keywords, terms or anomalies."
	sample_md5 = "2c47ed277a3471b8e4c5d396d4119c31"
	ref_blog = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
	strings:
	$pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,500}-master\\[\x00-\xFF]{0,500}\.pdb\x00/ ascii
	condition:
	(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
	}