alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cobalt Strike CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|MSIE|20|8|2e|0|3b 20|Windows|20|NT|20|5|2e|1|3b 20|Trident|2f|4|2e|0|3b 20|LBBROWSER|29|"; bsize:74; fast_pattern; http.connection; content:"Keep-Alive"; bsize:10; http.header; content:"Cache|2d|Control|3a 20|no|2d|cache|0d 0a|"; http.header_names; content:"|0d 0a|Accept|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:65; http.cookie; pcre:"/^(?:[a-zA-Z0-9\x2f\x2b\x3d]{172})$/"; bsize:172; reference:md5,c0886a12508c65719e3ec8de02c1ba80; reference:url,twitter.com/malwrhunterteam/status/1750138795276566550; classtype:trojan-activity; sid:2050421; rev:1; metadata:attack_target Client_Endpoint, created_at 2024_01_24, deployment Perimeter, malware_family Cobalt_Strike, confidence High, signature_severity Major, updated_at 2024_01_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)