alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible PowerShell AMSI Bypass Inbound"; flow:from_server,established; http.stat_code; content:"200"; http.response_body; content:".Assembly.GetType"; fast_pattern; nocase; content:"|7c 25 7b 5b|char|5d 5b|"; distance:0; within:80; content:"-replace"; nocase; content:"GetField|28|"; nocase; content:"SetValue|28|"; nocase; classtype:misc-attack; sid:2039683; rev:1; metadata:attack_target Client_and_Server, created_at 2022_11_04, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_11_04;)