Rule History

alert tcp any [104,2104,22104] -> $HOME_NET any (msg:"ET MALWARE Executable contained in DICOM Medical Image Received from PACS DICOM Device"; flow:established,to_client; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"DICM"; offset:128; depth:4; fast_pattern; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027404; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)