alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik_AGen.DOP C2 Checkin"; flow:established,to_server; dsize:<30; content:"|b7|"; startswith; content:"|b6 ec e0 ec|"; endswith; fast_pattern; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,c8e6cd1fb6f5dfe1ab548024a7f67043; classtype:command-and-control; sid:2054620; rev:1; metadata:attack_target Client_Endpoint, created_at 2024_07_19, deployment Perimeter, malware_family Win32_Kryptik_AGen_DOP, confidence High, signature_severity Major, tag c2, updated_at 2024_07_19, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)