alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Storm-0978 CVE-2023-36884 Exploitation Attempt M2"; flow:established,to_server; flowbits:isset,ET.CVE-2023-36884.Storm-0978; http.method; content:"GET"; http.uri; content:"/MSHTML_"; content:".asp?d="; fast_pattern; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}_[a-f0-9]{5}_/R"; reference:url,blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit; reference:cve,2023-36884; classtype:attempted-admin; sid:2046811; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_07_12, cve CVE_2023_36884, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_08_02, reviewed_at 2023_10_06; target:src_ip;)