alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager Backdoor ReadFile Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSIONID=ReadFile-"; fast_pattern; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037218; rev:1; metadata:attack_target Server, created_at 2022_06_30, deployment Perimeter, deployment Internal, malware_family SessionManager, confidence High, signature_severity Major, tag Exploit, updated_at 2022_06_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)