alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Suspected Reverse Shell Connection"; flow:established,to_server; content:"Microsoft|20|Windows|20|"; content:"|5b|Version|20|"; distance:0; content:"|5d|"; content:"|20|Microsoft|20|Corp"; fast_pattern; content:"|43 3a 5c|"; content:"|3e|"; content:!"Host"; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; reference:md5,039d8e77b65faae44d5e7e39d4cc9c59; classtype:trojan-activity; sid:2034945; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_12_26;)