Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/stvemillertime/ConventionEngine
ConventionEngine - A Yara Rulepack for PDB Path Hunting
https://github.com/stvemillertime/ConventionEngine
Last synced: 3 months ago
JSON representation
ConventionEngine - A Yara Rulepack for PDB Path Hunting
- Host: GitHub
- URL: https://github.com/stvemillertime/ConventionEngine
- Owner: stvemillertime
- Created: 2019-04-30T12:40:53.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2023-03-15T13:55:28.000Z (over 1 year ago)
- Last Synced: 2024-04-09T19:11:18.388Z (7 months ago)
- Language: YARA
- Homepage:
- Size: 1.61 MB
- Stars: 35
- Watchers: 2
- Forks: 9
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-yara - ConventionEngine Rules
README
# ConventionEngine
"ConventionEngine" is a collection of Yara rules looking for PEs with PDB paths that have unique, unusual, or overtly malicious-looking keywords, terms, or other features. For further reading on the context, please see the @FireEye blog series on the subject.
https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html
Keywords = string words used by malware developers to organize files, folders and code projects, often describing the functionality of the malware.
Terms = string words that show up in paths as a result of operating system, software, or user behavior, often indicating that the developer is riding solo or that code project is not being developed for a "enterprise" software product.
Anomalies = Other things that are less common but are suspicious or indicative of various behaviors.
See also here: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/definitive_dossier_pdb_yara_appendix.pdf