MALWARE [PTsecurity] Pegasus (Buhtrap/Ratopak) domain replication remote pipe check

SID: 10003305Rev: 10 views
Sourceptresearch/attackdetection
CreatedDecember 13, 2021
UpdatedDecember 13, 2021
Classificationtrojan-activity
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"MALWARE [PTsecurity] Pegasus (Buhtrap/Ratopak) domain replication remote pipe check"; flow:established, to_server, no_stream; content:"SMB"; content:"|0B 00|"; distance:8; within:2; content:"|00 00 18 00 11 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; distance:0; pcre:"/([0-9A-F]\x00){16,32}$/R"; threshold:type threshold, track by_src, count 8, seconds 2; classtype:trojan-activity; reference:url, github.com/ptresearch/AttackDetection; sid:10003305; rev:1;)

References

urlgithub.com/ptresearch/AttackDetection

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!