alert tcp any any -> $HOME_NET any (msg:"ET HUNTING ConnectWise ScreenConnect Revoked Code Signing Certificate M1"; flow:established,to_client; content:"Connectwise, LLC"; content:"|30 82 07 60 30 82 05 48 A0 03 02 01 02 02 10 0B 93 60 05 1B CC F6 66 42 99 89 98 D5 BA 97 CE|"; fast_pattern; reference:url,www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware; classtype:bad-unknown; sid:2063279; rev:1; metadata:attack_target Client_Endpoint, created_at 2025_07_03, deployment Perimeter, deployment Internal, confidence High, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_07_03, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1036, mitre_technique_name Masquerading; target:dest_ip;)