alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Lockbit CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:"/?"; content:"&"; content:"="; within:8; http.accept_enc; content:"gzip,|20|deflate,|20|br"; fast_pattern; http.content_type; content:"text/plain"; http.user_agent; pcre:"/(Mozilla\/5\.0\x20\x28Windows\x20NT\x206\.1|AppleWebKit\/587\.38\x20\x28KHTML,\x20like\x20Gecko|Chrome\/91\.0\.4472\.77|Safari\/537\.36|Edge\/91\.0\.864\.37|Firefox\/89\.0|Gecko\/20100101)/"; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith; http.request_body; content:"&="; content:"="; base64_decode:offset 0, relative; base64_data; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; classtype:command-and-control; sid:2045316; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_05_04, deployment Perimeter, malware_family LockBit, performance_impact Significant, confidence Medium, signature_severity Major, tag Ransomware, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)