alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProjectSauron Remsec CnC Beacon (hardcoded HTTP headers)"; flow:established,to_server; content:"|41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 6D 6C 2C 74 65 78 74 2F 70 6C 61 69 6E 2C 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63 65 70 74 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38 35 39 2D 31 2C 2A 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 33 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 4E 6F 2D 43 61 63 68 65|"; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:command-and-control; sid:2023032; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, confidence Medium, signature_severity Major, tag c2, updated_at 2022_03_17, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)