alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"🐾 - 🚨 Flow to Cryptomining service check - Resource Hijacking - T1496"; flow:to_client, stateless; tls.cert_issuer; content:"O=Mining Pool"; content:"CN=mining.pool"; tls.cert_subject; content:"O=Mining Pool"; content:"CN=mining.pool"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1496/; reference:url,https://www.onyphe.io/search?q=category%3Adatascan+subject.commonname%3Amining.pool+subject.organization%3A"Mining+Pool"+issuer.commonname%3Amining.pool; metadata:attack_target Server, signature_severity Major, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking, former_category MALWARE, malware_family Cryptominer, created_at 2024_09_16, updated_at 2024_09_16; sid:3321371; rev:1; classtype:command-and-control;)