alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UNC2628 BEACON Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html|20|/"; content:".html?auth=uid"; distance:0; fast_pattern; http.user_agent; content:"ms-office|3b 20|"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html; reference:md5,5f1e9ae81c6a3797bf16b9ee469dc66a; classtype:command-and-control; sid:2033149; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_17, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag c2, updated_at 2021_06_17, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)