DISCLAIMER: As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community. It is: - Not recommended for deployment in a production network of any kind without internal testing. - Not a solution to any vulnerability. - Not an official supported Palo Alto Networks signature This write up is to help the Palo Alto Networks community with detecting a specific PE file. The sample signature was created on PAN OS Version 7.0.x : SHA256: 92914013abfd071b0513d366bcaead978dce2f552c9d2853f4ce775604fb841f Fill out the appropriate field under the configuration tab Choose the standard option from the radio button and click on add to create a signature Since we only have one condition it doesn’t matter if we choose the ‘and’/’or’ condition To determine a unique string the *NIX utility xxd was used in this case, however any hex editor will work for this purpose. The string was then converted to hex and used in a pattern match to detect the file. In this case the author of the file put what we believe to be their name in the file and that was used as a unique identifier. Once this custom signature is applied and a web browser is used to attempt to download the file the firewall will either block or alert on detection depending on the action you set.
... View more