How to Create a Custom Vulnerability signature for a PE File

How to Create a Custom Vulnerability signature for a PE File

3437
Created On 01/12/21 09:15 AM - Last Modified 06/08/23 09:00 AM


Procedure


This can be done using a custom vulnerability signature (Objects>Custom Objects>Vulnerability) and we will be using the 'pe-body-data' context with a unique pattern from the body of the PE file that we want to block.

The benign PE file that I'm using for demonstration is 0964fa51554663205337086ea94f540367ed0826f309d41f571dae4ee9464ef2 and the hex pattern 500069006e00670049006e0066006f0056006900650077002e006500780065 has been extracted from the PE file after review. A Hex editor like HxD can be used to find unique pattern from the sample.

User-added image

Note:  Using a less unique pattern for matching could lead to False Positives.

 

Additional Information


Refer below link for more information regarding how to create a custom threat signature:

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/create-a-custom-threat-signature.html
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCHACA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail