alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible PowerShell Empire Activity Outbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; depth:1; pcre:"/^(?:login\/process|admin\/get|news)\.php$/R"; http.user_agent; content:"Mozilla|2f|5.0|20 28|Windows|20|NT|20|6.1"; http.cookie; content:"session="; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.start; content:".php|20|HTTP|2f|1.1|0d 0a|Cookie|3a 20|session="; fast_pattern; http.header_names; content:!"Referer"; content:!"Cache"; content:!"Accept"; classtype:trojan-activity; sid:2027512; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_24, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag PowerShell_Empire, tag T1086, updated_at 2020_08_31;)