alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE CobaltStrike DNS Beacon Response"; content:"|81 80 00 01 00 01 00 00 00 00|"; offset:2; depth:10; content:"|c0 0c 00 01 00 01 00 00 00 00 00 04 00 00 00 00|"; endswith; threshold:type both, count 10, seconds 90, track by_dst; content:!"|06|nessus|03|org"; content:!"trr|03|dns|07|nextdns|02|io"; content:!"|08|cloudapp|03|net"; reference:url,www.youtube.com/watch?v=zAB5G-QOyx8; classtype:targeted-activity; sid:2026040; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_28, deployment Perimeter, malware_family Cobalt_Strike, confidence High, signature_severity Major, tag c2, updated_at 2022_03_05, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)