[Emerging-Sigs] Proposed Signature: PE/MZ SluttyPutty

Jason Taylor jastaylor at emergingthreats.net
Tue Jun 23 05:55:09 HDT 2020

Hi Nathan!

Sorry for the delayed response, I formulated a reply in my head but
apparently never sent an actual email.

Thanks for the sig, we will get it in QA for today!


On Mon, Jun 22, 2020 at 10:09 AM Nathan via Emerging-sigs
<emerging-sigs at lists.emergingthreats.net> wrote:
> SluttyPutty isDebuggerPresent in fake PE/MZ Putty executable";
> flow:established,from_server; file_data; content:"|4D5A|"; depth:2;
> filestore;
> content:"https://www.chiark.greenend.org.uk/~sgtatham/putty/";
> content"IsDebuggerPresent"; classtype:trojan-activity; sid:x; rev:1;)
> Doubt this will ever generate a false positive.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

More information about the Emerging-sigs mailing list