alert udp any 5353 -> 224.0.0.251 5353 (msg:"🐾 - 🚨 MDNS protocol 🤕 in use - Multicast query observed"; flow:to_server, stateless; threshold:type limit, track by_src,count 1, seconds 43200; content:"|00 00 00 00 00 01 00 00 00 00 00 00|"; fast_pattern; content:!"|5f 74 63 70|"; content:!"|77 70 61 64 05 6c 6f 63 61 6c|"; content:!"|5f 75 64 70|"; content:!"|5f 6d 69 63 72 6f 73 6f 66 74 5f 6d 63 63 04 5f 74 63 70 05 6c 6f 63 61 6c|"; reference:url,https://attack.mitre.org/techniques/T1557/001/; reference:url,https://attack.mitre.org/software/S0174/; reference:url,https://www.thewindowsclub.com/disable-netbios-and-llmnr-protocols-via-gpo; metadata:created_at 2023_03_20, updated_at 2025_01_05; sid:3300149; rev:8; classtype:policy-violation;)