alert tcp any any -> any any (msg:"🐾 - 🚨 Meterpreter C2 session over TCP established from Windows 🪟 - TA0011"; flow:to_server, stateless; threshold:type limit, track by_src,count 1, seconds 50; content:"|2a b4 ef 55|"; startswith; content:"|2a b4 ef 54 2a b4 ef|"; fast_pattern; distance:16; dsize:<300; reference:url,https://attack.mitre.org/tactics/TA0011/; reference:url,https://www.metasploit.com/; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Metasploit, created_at 2024_07_25, updated_at 2024_07_29; sid:3321307; rev:15; classtype:command-and-control;)