alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected RULER.Hacktool HTML Payload"; flow:established,to_client; file.data; content:"OutlookApplication"; nocase; content:"CreateObject"; nocase; content:"0006F063-0000-0000-C000-000000000046"; nocase; reference:url,www.mandiant.com/resources/overruled-containing-a-potentially-destructive-adversary; reference:url,github.com/sensepost/ruler; classtype:trojan-activity; sid:2035187; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_14;)