Sneed-Reactivity/yara-mikesxrs/Mandiant/MTI_Hunting_AsRockDriver_Exploit_PDB.yar

rule MTI_Hunting_AsRockDriver_Exploit_PDB

{

          meta:

                    author = "Mandiant"

                    date = "03-23-2022"

                    description = "Searching for executables containing strings associated with AsRock driver Exploit."
                    
                    reference = "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"
   

          strings:

                    $dos_stub = "This program cannot be run in DOS mode"

                    $pdb_bad = "dev projects\\SignSploit1\\x64\\Release\\AsrDrv_exploit.pdb"

                    $pdb_good = "c:\\asrock\\work\\asrocksdk_v0.0.69\\asrrw\\src\\driver\\src\\objfre_win7_amd64\\amd64\\AsrDrv103.pdb"

   

          condition:

                    all of them and (@pdb_bad < @dos_stub[2]) and (#dos_stub == 2) and (@pdb_good > @dos_stub[2])

}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule MTI_Hunting_AsRockDriver_Exploit_PDB`

			`{`

			`meta:`

			`author = "Mandiant"`

			`date = "03-23-2022"`

			`description = "Searching for executables containing strings associated with AsRock driver Exploit."`

			`reference = "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"`


			`strings:`

			`$dos_stub = "This program cannot be run in DOS mode"`

			`$pdb_bad = "dev projects\\SignSploit1\\x64\\Release\\AsrDrv_exploit.pdb"`

			`$pdb_good = "c:\\asrock\\work\\asrocksdk_v0.0.69\\asrrw\\src\\driver\\src\\objfre_win7_amd64\\amd64\\AsrDrv103.pdb"`



			`condition:`

			`all of them and (@pdb_bad < @dos_stub[2]) and (#dos_stub == 2) and (@pdb_good > @dos_stub[2])`

			`}`