alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Storm-0978 CVE-2023-36884 Exploitation Attempt M1"; flow:established,to_server; flowbits:set,ET.CVE-2023-36884.Storm-0978; http.method; content:"GET"; http.uri; content:"/MSHTML_"; content:"/start.xml"; fast_pattern; endswith; reference:url,blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit; reference:cve,2023-36884; classtype:attempted-admin; sid:2046810; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_07_12, cve CVE_2023_36884, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, tag Storm_0978, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_08_02, reviewed_at 2023_10_06; target:src_ip;)