Sneed-Reactivity/yara-mikesxrs/Mikesxrs/Aurora_PDB.yar

14 lines
286 B
Text
Raw Normal View History

rule Aurora_PDB
{
meta:
author = "Michael Worth"
reference = "https://www.secureworks.com/blog/research-20913"
description = "PDB path from Arora"
strings:
$PDB1 = "f:\\Aurora_Src\\AuroraVNC\\Avc\\Release\\AVC.pdb"
$PDB2 = "f:\\Aurora_Src\\"
condition:
$PDB1 or $PDB2
}