alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Amazon Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1"; startswith; http.cookie; content:"skin|3d|noskin|3b|session|2d|token|3d|"; startswith; content:"|3d|csm|2d|hit|3d|s|2d|24KU11BB82RZSYGJ3BDK|7c|1419899012996"; endswith; fast_pattern; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile; reference:md5,1a6ea185317ad4e5b8695e5a7d979f24; classtype:trojan-activity; sid:2055356; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_08_20, deployment Perimeter, deployment SSLDecrypt, malware_family Cobalt_Strike, confidence High, signature_severity Critical, updated_at 2024_08_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)