alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET HUNTING Possible REvil 0day Exploitation Activity Inbound"; flow:established,to_server; content:"|0a|procCreate|28 22|Archive"; content:"procStep|28|"; distance:0; within:50; content:"+++SQLCMD|3a 22|+"; distance:0; within:100; content:"|22|DELETE|20|FROM"; reference:url,blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/; classtype:bad-unknown; sid:2033236; rev:1; metadata:created_at 2021_07_05, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_05;)