20 lines
1,000 B
Text
20 lines
1,000 B
Text
|
rule APT3_PDB_Paths
|
||
|
{
|
||
|
meta:
|
||
|
Author = "@X0RC1SM"
|
||
|
Description = "Looking for PDB paths found in report"
|
||
|
Reference1 = "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html"
|
||
|
Date = "2017-10-28"
|
||
|
strings:
|
||
|
$PDB1 = "c:\\Users\\aa\\Documents\\Visual Studio 2008\\Projects\\MShell\\Release \\MShell.pdb"
|
||
|
$PDB2 = "c:\\Users\\aa\\Documents\\Visual Studio 2008\\Projects\\4113\\Release \\4113.pdb"
|
||
|
$PDB3 = "C:\\Users\\aa\\Documents\\Visual Studio 2010\\Projects\\MyRat\\Client\\Client \\obj\\x86\\Release\\Client.pdb"
|
||
|
$PDB4 = "C:\\Users\\aa\\Documents\\"
|
||
|
$PDB5 = "c:\\Users\\aa\\Documents\\Visual Studio 2008\\Projects\\MShell\\Release\\MShell.pdb"
|
||
|
$PDB6 = "c:\\Users\\aa\\Documents\\Visual Studio 2008\\Projects\\4113\\Release\\4113.pdb"
|
||
|
$PDB7 = "C:\\Users\\aa\\Documents\\Visual Studio 2010\\Projects\\MyRat\\Client\\Client\\obj\\x86\\Release\\Client.pdb"
|
||
|
|
||
|
condition:
|
||
|
any of them
|
||
|
}
|