alert tcp any [104,2104,22104] -> $HOME_NET any (msg:"ET TROJAN Executable contained in DICOM Medical Image Received from PACS DICOM Device"; flow:established,to_client; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"DICM"; offset:128; depth:4; fast_pattern; reference:url,; reference:url,; classtype:trojan-activity; sid:2027404; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, deployment Internal, signature_severity Major, created_at 2019_05_31, updated_at 2019_05_31;)

Added 2019-05-31 18:38:10 UTC

Topic revision: r1 - 2019-05-31 - TWikiGuest
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats