Rule History

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious TLSV1.2 connection from WinHttpOpen C++ fonction 🪟 to fqdn (check that the destination is legitimate)"; flow:to_server, stateless; ja3.hash; content:"ce5f3254611a8c095a3d821d44539877"; fast_pattern; tls_sni; content:!"adobe.com"; endswith; nocase; content:!"microsoft.com"; endswith; nocase; content:!"skype.com"; endswith; nocase; content:!"msn.com"; endswith; nocase; content:!"office.net"; endswith; nocase; content:!"live.com"; endswith; nocase; content:!"office.com"; endswith; nocase; content:!"office365.com"; endswith; nocase; content:!"azureedge.net"; endswith; nocase; content:!"comae.com"; endswith; nocase; content:!"autodesk.com"; endswith; nocase; content:!"onenote.net"; endswith; nocase; content:!".microsoft"; endswith; nocase; content:!".windows.net"; endswith; nocase; content:!".googleapis.com"; endswith; nocase; content:!".outlook.com"; endswith; nocase; content:!".azurefd.net"; endswith; nocase; reference:url,https://learn.microsoft.com/en-us/windows/win32/api/winhttp/nf-winhttp-winhttpopen; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.revil; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot; metadata:created_at 2023_11_18, updated_at 2025_09_30; sid:3301092; rev:14; classtype:trojan-activity;)