Rule History

alert dns $HOME_NET any -> any any (msg:"ET MALWARE GhostWriter APT Related Cobalt Strike Domain in DNS Lookup (hmgo .pw)"; dns.query; dotprefix; content:".hmgo.pw"; nocase; endswith; reference:url,twitter.com/netresec/status/1506990534547709972; reference:md5,b5525108912ee8d5f1519f1b552723e8; reference:url,tria.ge/220324-p4dl5adghn; classtype:domain-c2; sid:2035602; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, malware_family Cobalt_Strike, malware_family Ghostwriter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_24;)