Rule History

alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShadowAgent/TA396 CnC Domain in DNS Lookup (broughservice .info)"; dns.query; dotprefix; content:".broughservice.info"; nocase; endswith; reference:url,ti.qianxin.com/blog/articles/analysis-of-the-attack-activity-of-the-apt-q-38-using-pdf-document-decoys-cn/; classtype:command-and-control; sid:2066164; rev:1; metadata:attack_target Client_Endpoint, created_at 2025_12_08, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, tag TA396, updated_at 2025_12_08;)