alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=netfoundationmtgcorp.com"; nocase; endswith; reference:md5,9845a9edb7484874171c80e3cb26135d; reference:url,twitter.com/benkow_/status/1437376463305596929; classtype:domain-c2; sid:2033951; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_15, deployment Perimeter, malware_family Cobalt_Strike, confidence High, signature_severity Major, updated_at 2021_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)