alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT)"; flow:established,to_client; tls.cert_subject; content:"CN=DcRat Server"; fast_pattern; endswith; tls.cert_issuer; content:"O=DcRat By"; reference:url,twitter.com/Yeti_Sec/status/1650862013047009285/; classtype:domain-c2; sid:2045183; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_04_25, deployment Perimeter, malware_family AsyncRAT, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_25;)