alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Related URI in HTTP Request"; flow:established,to_server; http.uri; content:"/crowdstrike/update.zip"; fast_pattern; http.host; content:!"crowdstrike.org"; startswith; isdataat:!1,relative; content:!"crowdstrike.com"; startswith; isdataat:!1,relative; content:!"cloudsink.net"; startswith; isdataat:!1,relative; content:!"crowdstrike.com.au"; startswith; isdataat:!1,relative; content:!"crowdstrike.co.uk"; startswith; isdataat:!1,relative; content:!".crowdstrike.org"; endswith; content:!".crowdstrike.com"; endswith; content:!".cloudsink.net"; endswith; content:!".crowdstrike.com.au"; endswith; content:!".crowdstrike.co.uk"; endswith; reference:url,crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/; classtype:trojan-activity; sid:2054642; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_07_22, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Age, confidence High, signature_severity Major, updated_at 2025_04_15, reviewed_at 2025_04_15;)