alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wsman"; http.header_names; content:!"|0d 0a|Authorization|0d 0a|"; http.content_type; content:"application/soap+xml"; http.request_body; content:"|3c|p|3a|ExecuteScript"; fast_pattern; nocase; content:"|3c|p|3a|Script|3e|"; nocase; reference:url,attackerkb.com/topics/08O94gYdF1/cve-2021-38647; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; reference:cve,2021-38647; classtype:attempted-admin; sid:2033952; rev:2; metadata:affected_product HTTP_Server, attack_target Server, created_at 2021_09_15, cve CVE_2021_38647, deployment Perimeter, deployment Internet, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_09_15;)