alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Powershell 🌐 (Windows 11 🪟) - TLSv1.3 connection to FQDN"; flow:to_server, stateless; ja3.hash; content:"3c4eb72b882d4d1442c67ce73f1292a9"; fast_pattern; tls_sni; content:!"windows.com"; nocase; endswith; content:!".google"; nocase; endswith; content:!"hpsmart.com"; nocase; endswith; content:!"hp.com"; nocase; endswith; content:!"hpconnected.com"; nocase; endswith; content:!"lenovo.com"; nocase; endswith; content:!"visualstudio.com"; nocase; endswith; content:!"exp-tas.com"; nocase; endswith; content:!"microsoft.com"; nocase; endswith; content:!"azureedge.net"; nocase; endswith; content:!"powershellgallery.com"; nocase; endswith; content:!"msecnd.net"; nocase; endswith; content:!"msedge.net"; nocase; endswith; content:!".ms"; nocase; endswith; content:!".trafficmanager.net"; nocase; endswith; content:!".barco.com"; endswith; nocase; content:!".intel.com"; endswith; nocase; content:!".akamaitechnologies.com"; endswith; nocase; content:!"api.amplitude.com"; endswith; nocase; metadata:former_category JA3; reference:url,https://learn.microsoft.com/en-us/powershell/; metadata:created_at 2023_11_05, updated_at 2024_08_25; sid:3301084; rev:10; classtype:policy-violation;)