Sneed-Reactivity/yara-mikesxrs/alienvault/NKRivts.yar

rule rivts_pdb {
meta:
	description = "Detects Rivts based on PDB folder"
	author="cdoman@alienvault.com"
	tlp ="white"
	license = "MIT License"
    reference = "https://www.alienvault.com/blogs/security-essentials/north-korean-cyber-attacks-and-collateral-damage"
strings:
	$m = "F:\\meWork\\" nocase wide ascii
condition:
	uint16(0) == 0x5a4d and any of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 17:43:35 +00:00			`rule rivts_pdb {`
			`meta:`
			`description = "Detects Rivts based on PDB folder"`
			`author="cdoman@alienvault.com"`
			`tlp ="white"`
			`license = "MIT License"`
			`reference = "https://www.alienvault.com/blogs/security-essentials/north-korean-cyber-attacks-and-collateral-damage"`
			`strings:`
			`$m = "F:\\meWork\\" nocase wide ascii`
			`condition:`
			`uint16(0) == 0x5a4d and any of them`
			`}`