alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Cobalt Strike Beacon Activity (DNS)"; threshold:type both, track by_src, count 3, seconds 5; dns.query; pcre:"/^[a-z0-9]{32}/"; content:".defenderupdateav.com"; endswith; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:trojan-activity; sid:2033817; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_06, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_08_27;)