alert tcp any any <> any any (msg:"ET DELETED NCSC APT28 - CompuTrace_Beacon_UserAgent"; flow:established; content:"|0d0a|TagId|3a|"; fast_pattern; content:"POST / "; content:!"namequery.com"; content:!"Host: 209.53.113."; content:!"dnssearch.org"; content:!"Cookie:"; content:!"fnbcorporate.co.za"; content:!"207.6.98."; pcre:"/Mozilla\/[0-9]{1,2}.[0-9]{1,2}\(compatible\; MSIE [0-9]{1,2}.[0-9]{1,2}\x3b\)\x0d\x0a/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026440; rev:6; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, performance_impact Significant, signature_severity Major, tag c2, updated_at 2024_04_29, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)