alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Zoho ManageEngine RCE Attempt Inbound (CVE-2022-35405)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/xmlrpc"; http.request_body; content:"<?xml"; content:"<methodCall>"; content:"<serializable|20|"; fast_pattern; content:"|22|>"; base64_decode:offset 0, relative; base64_data; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; reference:cve,2022-35405; classtype:attempted-admin; sid:2039005; rev:1; metadata:attack_target Server, created_at 2022_09_27, cve CVE_2022_35405, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_09_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)