[Emerging-Sigs] Proposed Signature: PE/MZ SluttyPutty
jastaylor at emergingthreats.net
Tue Jun 23 05:55:09 HDT 2020
Sorry for the delayed response, I formulated a reply in my head but
apparently never sent an actual email.
Thanks for the sig, we will get it in QA for today!
On Mon, Jun 22, 2020 at 10:09 AM Nathan via Emerging-sigs
<emerging-sigs at lists.emergingthreats.net> wrote:
> alert $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> SluttyPutty isDebuggerPresent in fake PE/MZ Putty executable";
> flow:established,from_server; file_data; content:"|4D5A|"; depth:2;
> content"IsDebuggerPresent"; classtype:trojan-activity; sid:x; rev:1;)
> Doubt this will ever generate a false positive.
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
More information about the Emerging-sigs