Versions (2)
Version DetailsCurrent
Rev: 6 • Jun 29, 2021, 12:00 PM🐾 - ⚠ Suspicious TLSv1.2 connection from 🪟 Windows 10 socket to public IP address - Possible ☠ Meterpreter / Cobalt Strike / other C2 - Certuil
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - ⚠ Suspicious TLSv1.2 connection from 🪟 Windows 10 socket to public IP address - Possible ☠ Meterpreter / Cobalt Strike / other C2 - Certuil"; flow:to_server, stateless; ja3.hash; content:"72a589da586844d7f0818ce684948eea"; metadata:former_category JA3; reference:url,https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/; reference:url,https://thedfirreport.com/2020/10/08/ryuks-return/; reference:url,https://thedfirreport.com/2021/01/31/bazar-no-ryuk/; reference:url,https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967; reference:url,https://lolbas-project.github.io/lolbas/Binaries/Certutil/#download; target:src_ip; metadata:signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1218_005, mitre_technique_name System_Binary_Proxy_Execution_Mshta, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer, created_at 2021_06_29, updated_at 2024_07_30; sid:3300712; rev:6; classtype:trojan-activity;)
Jun 29, 2021, 12:00 PM
Jul 30, 2024, 12:00 PM
Feb 21, 2024, 4:00 PM
May 29, 2025, 11:12 PM
rules/PAW-PATRULES_MALWARES.rules