alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Suspected Generic Webshell Activity (Outbound)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|20|id=|22|L_p|22|"; content:"Program</span>"; distance:0; content:"|22|xpath|22 20|type=|22|text|22 20|value=|22|c|3a 5c|windows|5c|system32|5c|cmd.exe|22|"; fast_pattern; content:"|22|xcmd|22 20|type=|22|text|22 20|value=|22|/c net user|22 20|id=|22|xcmd|22|"; distance:0; reference:md5,e3af60f483774014c43a7617c44d05e7; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage; classtype:web-application-attack; sid:2039079; rev:1; metadata:attack_target Web_Server, created_at 2022_10_03, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_03;)