alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UAC-0114/Winter Vivern Redirect"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"error.jsp?errCode="; http.uri.raw; content:"|25 36 39 25 36 36 25 32 38 25 32 31 25 36 34 25 36 66 25 36 33 25 37 35 25 36 64 25 36 35 25 36 65 25 37 34 25 32 65 25 36 37 25 36 35 25 37 34 25 34 35 25 36 63 25 36 35 25 36 64 25 36 35 25 36 65 25 37 34 25 34 32 25 37 39 25 34 39 25 36 34 25 32 38 25 32 32|"; fast_pattern; content:"|25 37 62 25 37 37 25 36 39 25 36 65 25 36 34 25 36 66 25 37 37 25 32 65 25 37 38 25 33 64 25 36 34 25 36 66 25 36 33 25 37 35 25 36 64 25 36 35 25 36 65 25 37 34 25 32 65 25 36 33 25 37 32 25 36 35 25 36 31 25 37 34 25 36 35 25 34 35 25 36 63 25 36 35 25 36 64 25 36 35 25 36 65 25 37 34 25 32 38 25 32 37 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 37 25 32 39 25 33 62 25 37 37 25 36 39 25 36 65 25 36 34 25 36 66 25 37 37 25 32 65 25 37 38 25 32 65 25 36 39 25 36 34 25 33 64 25 32 32|"; classtype:credential-theft; sid:2044164; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_02_09, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_02_09;)