alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fileless infection dropped by EK CnC Beacon"; flow:established,to_server; http.uri; content:"hl="; content:"source="; content:"aq="; content:"aqi="; content:"aql="; fast_pattern; content:"oq="; http.header; content:!"google."; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:49; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2020734; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, performance_impact Moderate, confidence High, signature_severity Major, tag c2, updated_at 2024_04_15, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)