alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)"; flow:established,to_server; stream_size:server,=,2; content:"|02 0B 01 73 04 0B 01 61 06 56 08 44 0A 1E 00 82 AB 01 40 0D|Authorization|08 03|ns1|99 20|"; fast_pattern; reference:md5,dda288278d0023242afff00556d97d60; reference:url,community.emergingthreats.net/t/lgoogloader-pikabot-redline-rules/597/; classtype:trojan-activity; sid:2046045; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, created_at 2023_05_31, deployment Perimeter, malware_family Stealer, malware_family Redline, malware_family MetaStealer, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_12_28, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system; target:src_ip;)