alert dns any any -> any any (msg:"🐾 - 🚨 Powershell command in DNS CNAME answer 🥷 - T1059.001"; flow:to_client, stateless; content:"|c0 0c 00 05 00 01 00 00 00 3c 00|"; content:"|70 6f 77 65 72 73 68 65 6c 6c|"; distance:2; content:"|65 78 65|"; distance:1; reference:url,https://attack.mitre.org/techniques/T1059/001/; reference:url,https://x.com/msftsecintel/status/2022456612120629742; metadata:created_at 2026_02_18, updated_at 2026_02_18, signature_severity Major, attack_target Client_Endpoint, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0002, mitre_tactic_name Execution, mitre_technique_id T1048, mitre_technique_name Command_and_Scripting_Interpreter_PowerShell; sid:3321480; rev:4; classtype:trojan-activity;)