alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"🐾 - 🚨 Suspicious TLS Certificate - Possible 👿 Vidar Stealer 🪟 flow with C2 Server"; flow:to_client, stateless; tls.cert_issuer; content:"CN="; fast_pattern; pcre:"/CN=[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/"; content:!"C="; content:!"ST="; content:!"O="; content:!"OU="; content:!"L="; tls.cert_subject; content:"CN="; pcre:"/CN=[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/"; content:!"C="; content:!"ST="; content:!"O="; content:!"OU="; content:!"L="; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, former_category MALWARE, malware_family Vidar_Stealer, created_at 2024_02_14, updated_at 2024_02_21; sid:3301129; rev:3; classtype:credential-theft;)