alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CONFUCIOUS_B CnC)"; flow:established,to_client; tls.cert_serial; content:"00:f9:1c:f7:fd:a7:bc:0a:9a"; bsize:26; fast_pattern; tls.cert_subject; content:"Internet Widgets"; reference:md5,2d2fe787b2728332341166938a25fa26; reference:url,unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites; classtype:domain-c2; sid:2029926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_16, deployment Perimeter, malware_family CONFUCIUS_B, performance_impact Low, confidence High, signature_severity Major, tag SSL_Malicious_Cert, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)