alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive"; flow:established,to_server; dsize:21; content:"|11 00 00 00|"; startswith; fast_pattern; content:!"|00|"; within:1; byte_test:1,<,5,0,relative; threshold:type threshold,track by_dst,seconds 30,count 20; reference:md5,cb0a4f14d441666ccb5d0b2f170a2d78; reference:url,app.any.run/tasks/e6be415f-589d-4491-a1cd-abf070510d31; reference:url,github.com/moom825/xeno-rat; reference:url,community.emergingthreats.net/t/xeno-rat/1290; classtype:command-and-control; sid:2050111; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2024_01_17, deployment Perimeter, malware_family XenoRat, confidence Medium, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_13;)