Rule History

alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Powershell 🌐 (Windows Server 2016 🪟) - TLSv1.2 connection to FQDN"; flow:to_server, stateless; ja3.hash; content:"ae76f123158d52fd84c2c313c0c724ac"; fast_pattern; tls_sni; content:!"windows.com"; nocase; endswith; content:!".google"; nocase; endswith; content:!"hpsmart.com"; nocase; endswith; content:!"hp.com"; nocase; endswith; content:!"hpconnected.com"; nocase; endswith;  content:!"lenovo.com"; nocase; endswith; content:!"microsoft.com"; nocase; endswith; content:!"github.com"; nocase; endswith; content:!"githubusercontent.com"; nocase; endswith; content:!"garmin.com"; nocase; endswith; content:!"visualstudio.com"; nocase; endswith; content:!"powershellgallery.com"; nocase; endswith; content:!"azureedge.net"; nocase; endswith; content:!"exp-tas.com"; nocase; endswith; content:!"sentinelone.net"; nocase; endswith; content:!"trafficmanager.net"; nocase; endswith; content:!"msedge.net"; nocase; endswith; content:!".ms"; nocase; endswith; content:!"msecnd.net"; nocase; endswith; content:!".microsoft"; nocase; endswith; content:!"office.net"; endswith; nocase; content:!"lenovomm.com"; endswith; nocase; content:!"packages.wazuh.com"; endswith; nocase; content:!".windows.net"; endswith; nocase; content:!".skype.com"; endswith; nocase; content:!".barco.com"; endswith; nocase; content:!".intel.com"; endswith; nocase; content:!".akamaitechnologies.com"; endswith; nocase; content:!"api.amplitude.com"; endswith; nocase;metadata: former_category JA3; reference:url,https://learn.microsoft.com/en-us/powershell/; metadata:created_at 2024_07_20, updated_at 2024_08_25; sid:3321298; rev:3; classtype:policy-violation;)