alert tcp any any -> any 443 (msg:"ET MALWARE [ANY.RUN] BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta) M2"; flow:established,to_server; dsize:271<>337; stream_size:server, =, 1; stream_size:client, >, 272; stream_size:client, <, 337; content:"|17 03 03 01|"; depth:5; byte_test:1, >, 15, 0, relative; byte_test:1, <, 49, 0, relative; content:"|01|"; offset:5; depth:256; byte_test:1, =, 1, 15, relative; byte_test:1, =, 1, 31, relative; reference:url,community.emergingthreats.net/t/toneshell-rules/1328; reference:md5,7e8f8043fe50cb6ce19b41a6e979a02f; reference:url,community.emergingthreats.net/t/toneshell-rules/1328; reference:url,app.any.run/tasks/6d271aa7-302c-4f3b-8cde-2fade4caa2f6; classtype:command-and-control; sid:2050598; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2024_01_30, deployment Perimeter, malware_family Toneshell, confidence Medium, signature_severity Major, tag TA416, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_30;)