MALWARE [PTsecurity] Pegasus (Buhtrap/Ratopak) credentials broadcast via Mailslot

SID: 10003304Rev: 10 views
Sourceptresearch/attackdetection
CreatedDecember 13, 2021
UpdatedDecember 13, 2021
Classificationtrojan-activity
alert udp $HOME_NET any -> $HOME_NET 138 (msg:"MALWARE [PTsecurity] Pegasus (Buhtrap/Ratopak) credentials broadcast via Mailslot"; content:"|5C|MAILSLOT|5C|"; content:!"|00|"; within:16; pcre:"/^[0-9A-F]{16,32}\x00/R"; pcre:"/[\x0e-\x19\x80-\xff]{5}/R"; threshold:type both, track by_src, count 4, seconds 3600; classtype:trojan-activity; reference:url, github.com/ptresearch/AttackDetection; sid:10003304; rev:1;)

References

urlgithub.com/ptresearch/AttackDetection

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!