alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Retrieve and Execute Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"http|3a|{"; content:"}.exe"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013655; rev:2; metadata:created_at 2011_09_15, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)