alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE ZhCAT.HackTool Operation Cleaver HTTP CnC Beacon"; flow:established,to_server; content:"POST file.php HTTP/1."; depth:21; content:"|20 28 20|compatible"; fast_pattern; reference:url,www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:command-and-control; sid:2019943; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)