alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-KT3 Intial Connection Beacon APT1 Related"; flow:established,to_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:set,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:targeted-activity; sid:2016456; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, signature_severity Major, tag c2, updated_at 2019_07_26, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)