alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"|2e|cmd|7b|background|2d|color|3a 23|000|3b|color|3a 23|FFF"; content:"|3c|input|20|name|3d 27|postpass|27 20|type|3d 27|password|27 20|size|3d 27|22|27 3e 20 3c|input|20|type|3d 27|submit|27 20|value|3d|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2034439; rev:1; metadata:attack_target Server, created_at 2021_11_12, deployment Perimeter, confidence Medium, signature_severity Major, tag WebShell, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)