alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"🐾 - 🚨 Suspicious TLS Certificate - Possible 👿 QakBot / Qbot / Pikabot 🪟 flow with C2 Server"; flow:to_client, stateless; tls.cert_subject; content:"C="; pcre:"/C=[A-Z]{2}/"; content:"OU="; pcre:"/OU=[a-zA-Z\t.]{3,35}/"; content:"CN="; pcre:"/CN=[a-z]{1,35}.[a-z]{2,5}/"; tls.cert_issuer; content:"C="; pcre:"/C=[A-Z]{2}/"; content:"ST="; fast_pattern; pcre:"/ST=[A-Z]{2}/"; content:"L="; pcre:"/L=[a-zA-Z\t.]{3,35}/"; content:"O="; pcre:"/O=[a-zA-Z\t.]{3,35}/"; content:"CN="; pcre:"/CN=[a-z]{1,35}.[a-z]{2,5}/"; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family QakBot, created_at 2024_01_11, updated_at 2024_03_07; sid:3301116; rev:8; classtype:command-and-control;)