https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-for-unique-exe-files/m-p/94332#M108 <P>DISCLAIMER:</P><P>As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community.</P><P>&nbsp;</P><P>It is:</P><P>&nbsp;</P><P>- Not recommended for deployment in a production network of any kind without internal testing.</P><P>- Not a solution to any vulnerability.</P><P>- Not an official supported Palo Alto Networks signature</P><P>&nbsp;</P><P>&nbsp;</P><P>This write up is to help the Palo Alto Networks community with detecting a specific PE file.</P><P>&nbsp;</P><P>The sample signature was created on PAN OS Version 7.0.x :</P><P>&nbsp;</P><P>SHA256: 92914013abfd071b0513d366bcaead978dce2f552c9d2853f4ce775604fb841f</P><P>&nbsp;</P><P>Fill out the appropriate field under the configuration tab<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CustomVuln1.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4608i1BD592A076D4ED5D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="CustomVuln1.png" alt="CustomVuln1.png" /></span></P><P>Choose the standard option from the radio button and click on add to create a signature</P><P>&nbsp;</P><P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="customVuln2.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4606i39F89C607B5F50AC/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="customVuln2.png" alt="customVuln2.png" /></span></P><P>Since we only have one condition it doesn’t matter if we choose the ‘and’/’or’ condition</P><P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="customVuln3.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4607i72DED325A49B266A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="customVuln3.png" alt="customVuln3.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>To determine a unique string the *NIX utility xxd was used in this case, however any hex editor will work for this purpose.&nbsp; The string was then converted to hex and used in a pattern match to detect the file. In this case the author of the file put what we believe to be their name in the file and that was used as a unique identifier.</P><P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="cusomVuln4.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4605iB76EEA4EACDF4BE9/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="cusomVuln4.png" alt="cusomVuln4.png" /></span></P><P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="customVuln5.png" style="width: 768px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4610i330E0E615120B90D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="customVuln5.png" alt="customVuln5.png" /></span></P><P>&nbsp;</P><P>Once this custom signature is applied and a web browser is used to attempt to download the file the firewall will either block or alert on detection depending on the action you set.</P><P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="customVuln6.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4609i94CFF69931094CFD/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="customVuln6.png" alt="customVuln6.png" /></span></P> Tue, 05 Jul 2016 16:43:22 GMT tboire 2016-07-05T16:43:22Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-for-unique-exe-files/m-p/94332#M108 <P>DISCLAIMER:</P><P>As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community.</P><P>&nbsp;</P><P>It is:</P><P>&nbsp;</P><P>- Not recommended for deployment in a production network of any kind without internal testing.</P><P>- Not a solution to any vulnerability.</P><P>- Not an official supported Palo Alto Networks signature</P><P>&nbsp;</P><P>&nbsp;</P><P>This write up is to help the Palo Alto Networks community with detecting a specific PE file.</P><P>&nbsp;</P><P>The sample signature was created on PAN OS Version 7.0.x :</P><P>&nbsp;</P><P>SHA256: 92914013abfd071b0513d366bcaead978dce2f552c9d2853f4ce775604fb841f</P><P>&nbsp;</P><P>Fill out the appropriate field under the configuration tab<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CustomVuln1.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4608i1BD592A076D4ED5D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="CustomVuln1.png" alt="CustomVuln1.png" /></span></P><P>Choose the standard option from the radio button and click on add to create a signature</P><P>&nbsp;</P><P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="customVuln2.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4606i39F89C607B5F50AC/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="customVuln2.png" alt="customVuln2.png" /></span></P><P>Since we only have one condition it doesn’t matter if we choose the ‘and’/’or’ condition</P><P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="customVuln3.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4607i72DED325A49B266A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="customVuln3.png" alt="customVuln3.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>To determine a unique string the *NIX utility xxd was used in this case, however any hex editor will work for this purpose.&nbsp; The string was then converted to hex and used in a pattern match to detect the file. In this case the author of the file put what we believe to be their name in the file and that was used as a unique identifier.</P><P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="cusomVuln4.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4605iB76EEA4EACDF4BE9/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="cusomVuln4.png" alt="cusomVuln4.png" /></span></P><P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="customVuln5.png" style="width: 768px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4610i330E0E615120B90D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="customVuln5.png" alt="customVuln5.png" /></span></P><P>&nbsp;</P><P>Once this custom signature is applied and a web browser is used to attempt to download the file the firewall will either block or alert on detection depending on the action you set.</P><P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="customVuln6.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4609i94CFF69931094CFD/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="customVuln6.png" alt="customVuln6.png" /></span></P> Tue, 05 Jul 2016 16:43:22 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-for-unique-exe-files/m-p/94332#M108 tboire 2016-07-05T16:43:22Z