stvemillertime/pe_pdb_keywords.yar

## pe_pdb_keywords.yar
rule PE_PDB_Keyword_Admin
{
    meta:
        author = "@stvemillertime"
        date = "11/06/2018"
        description = "Looking for PEs with PDB paths containing suspicious strings, as part of common developer convention. #ConventionEngine"
        md5 = "06c19cd73471f0db027ab9eb85edc607"
        ref = "https://twitter.com/stvemillertime/status/1059650975068315648"
   strings:
        $pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\\\S|*\S]?.{0,250}admin[\\\S|*\S]?.{0,250}\.pdb\x00/ nocase // this could probs use some updating
   condition:
        (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
}
	rule PE_PDB_Keyword_Admin
	{
	meta:
	author = "@stvemillertime"
	date = "11/06/2018"
	description = "Looking for PEs with PDB paths containing suspicious strings, as part of common developer convention. #ConventionEngine"
	md5 = "06c19cd73471f0db027ab9eb85edc607"
	ref = "https://twitter.com/stvemillertime/status/1059650975068315648"
	strings:
	$pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\\\S\|\S]?.{0,250}admin[\\\S\|\S]?.{0,250}\.pdb\x00/ nocase // this could probs use some updating
	condition:
	(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre
	}