alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [upload] M2 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=upload"; fast_pattern; content:"?path="; content:"&context="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034010; rev:2; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, signature_severity Major, tag WebShell, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)