alert tcp any any -> $HOME_NET any (msg:"ET HUNTING ConnectWise ScreenConnect Revoked Code Signing Certificate M2"; flow:established,to_client; content:"Connectwise, LLC"; content:"|30 82 07 60 30 82 05 48 A0 03 02 01 02 02 10 0F C8 90 21 8E BC 1B 3C 4B 85 21 F6 55 97 93 71|"; fast_pattern; reference:url,www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware; classtype:bad-unknown; sid:2063280; rev:1; metadata:attack_target Client_Endpoint, created_at 2025_07_03, deployment Perimeter, deployment Internal, confidence High, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_07_03, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1036, mitre_technique_name Masquerading; target:dest_ip;)