alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Snugy DNS Backdoor Initial Beacon"; content:"|00 00 01 00 01|"; endswith; dns.query; bsize:>19; content:"646"; offset:2; depth:5; fast_pattern; content:"|2e|"; offset:8; depth:1; pcre:"/^[qbedm](?:[tmp]646\d[a-zA-Z]{2}|[dhz][a-zA-Z]{2}646\d)\./"; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; reference:md5,162959ebfd839229969d5e830c7d1dbc; classtype:command-and-control; sid:2031193; rev:5; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, confidence Medium, signature_severity Major, tag c2, updated_at 2023_03_29, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)