alert tcp any $HTTP_PORTS -> any any (msg:"🐾 - 🔥👁 FireEye - Backdoor.HTTP.BEACON.[CSBundle Original Stager 2]"; content:"HTTP/1."; depth:7; content:"Content-Type: text/json|0d 0a|"; content:"Server: Microsoft-IIS/10.0|0d 0a|"; content:"X-Powered-By: ASP.NET|0d 0a|"; content:"Cache-Control: no-cache, no-store, max-age=0, must-revalidate|0d 0a|"; content:"Pragma: no-cache|0d 0a|"; content:"X-Frame-Options: SAMEORIGIN|0d 0a|"; content:"Connection: close|0d 0a|"; content:"Content-Type: image/gif"; content:"|01 00 01 00 00 02 01 44 00 3b|"; content:"|ff ff ff 21 f9 04 01 00 00 00 2c 00 00 00 00|"; content:"|47 49 46 38 39 61 01 00 01 00 80 00 00 00 00|"; reference:url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference:url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference:url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309560; rev:1; classtype:trojan-activity;)