Rule History

alert tls $HOME_NET any -> any ![636] (msg:"🐾 - 🚨 Powershell 🌐 (Windows 11 🪟) - TLSv1.2 connection to FQDN"; flow:to_server, stateless; ja3.hash; content:"6a5d235ee78c6aede6a61448b4e9ff1e"; fast_pattern; tls_sni; content:!"windows.com"; nocase; endswith; content:!".google"; nocase; endswith; content:!"autodesk.com"; nocase; endswith; content:!"sentinelone.net"; nocase; endswith; content:!"garmin.com"; nocase; endswith; content:!"visualstudio.com"; nocase; endswith; content:!"powershellgallery.com"; nocase; endswith; content:!"lenovo.com"; nocase; endswith; content:!".barco.com"; endswith; nocase; content:!".intel.com"; endswith; nocase; content:!".akamaitechnologies.com"; endswith; nocase; content:!"api.amplitude.com"; endswith; nocase; content:!".microsoft.com"; endswith; nocase; content:!".azure.com"; endswith; nocase; metadata: former_category JA3; reference:url,https://learn.microsoft.com/en-us/powershell/; metadata:created_at 2023_11_05, updated_at 2025_09_30; sid:3301086; rev:11; classtype:policy-violation;)