alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WebDAV Retrieving .zip from .url M2 (CVE-2023-36025)"; flow:established,to_client; flowbits:isset,ET.WebDAVURL; http.stat_code; content:"200"; file.data; content:"[InternetShortcut]"; fast_pattern; content:".zip"; distance:0; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025; reference:url,vulnera.com/newswire/windows-zero-day-cve-2023-36025-vulnerability-poc-exploit-published-by-researchers; reference:cve,2023-36025; classtype:trojan-activity; sid:2049320; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_11_28, cve CVE_2023_36025, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_15, reviewed_at 2024_10_14;)