alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"🐾 - 🚨 Suspicious TLS Certificate - Possible 👿 Pikabot 🪟 flow with C2 Server"; flow:to_client, stateless; tls.cert_issuer; content:"C="; pcre:"/C=[A-Z]{2}/"; content:"ST="; fast_pattern; pcre:"/ST=[A-Z]{2}/"; content:"O="; pcre:"/O=[A-Z]{1}[a-z]{1,27} [A-Z]{1}[a-z]{1,27} Inc./"; content:"OU="; content:"L="; content:"CN="; pcre:"/CN=[a-z]{1,35}.[a-z]{2,5}/"; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Pikabot, created_at 2024_01_08, updated_at 2024_02_21; sid:3301113; rev:4; classtype:command-and-control;)