Custom Threat Signature for unique EXE files

Reply
Highlighted
L3 Networker

Custom Threat Signature for unique EXE files

DISCLAIMER:

As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community.

 

It is:

 

- Not recommended for deployment in a production network of any kind without internal testing.

- Not a solution to any vulnerability.

- Not an official supported Palo Alto Networks signature

 

 

This write up is to help the Palo Alto Networks community with detecting a specific PE file.

 

The sample signature was created on PAN OS Version 7.0.x :

 

SHA256: 92914013abfd071b0513d366bcaead978dce2f552c9d2853f4ce775604fb841f

 

Fill out the appropriate field under the configuration tabCustomVuln1.png

Choose the standard option from the radio button and click on add to create a signature

 

 customVuln2.png

Since we only have one condition it doesn’t matter if we choose the ‘and’/’or’ condition

 customVuln3.png

 

 

To determine a unique string the *NIX utility xxd was used in this case, however any hex editor will work for this purpose.  The string was then converted to hex and used in a pattern match to detect the file. In this case the author of the file put what we believe to be their name in the file and that was used as a unique identifier.

 cusomVuln4.png

 customVuln5.png

 

Once this custom signature is applied and a web browser is used to attempt to download the file the firewall will either block or alert on detection depending on the action you set.

 customVuln6.png

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!