alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PeakLight/Emmenhtal Loader Payload Delivery WebPage Observed"; flow:established,to_client; http.response_body; content:"|3c|title|3e|"; pcre:"/^[A-Z0-9]{14,20}\x3c\x2ftitle\x3e[\r\n]/R"; content:"crumb|3d|location|3a 5c 5c|"; pcre:"/query\x3d(?<title>[A-Z0-9]{14,20}).+\x5cDavWWWRoot\x5c(?P>title).+\x3e(?P=title)\x20\x3c\x2fa\x3e\x3c\x2fp\x3e/"; content:"|3c 2f|body|3e 3c 2f|html|3e 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; endswith; reference:url,app.any.run/tasks/e2875d7e-7c85-4033-9508-4e986d598e2a; classtype:trojan-activity; sid:2058179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_12_11, deployment Perimeter, deployment SSLDecrypt, malware_family PeakLight, malware_family Emmenhtal, confidence High, signature_severity Major, updated_at 2024_12_11;)