Last active
July 2, 2021 14:14
-
-
Save stvemillertime/4fb2d8baca50ac598029727b67d05673 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule PE_PDB_Keyword_Admin | |
{ | |
meta: | |
author = "@stvemillertime" | |
date = "11/06/2018" | |
description = "Looking for PEs with PDB paths containing suspicious strings, as part of common developer convention. #ConventionEngine" | |
md5 = "06c19cd73471f0db027ab9eb85edc607" | |
ref = "https://twitter.com/stvemillertime/status/1059650975068315648" | |
strings: | |
$pcre = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\\\S|*\S]?.{0,250}admin[\\\S|*\S]?.{0,250}\.pdb\x00/ nocase // this could probs use some updating | |
condition: | |
(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment