alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Interactive Reverse Shell Without TTY (Outbound)"; flow:established,to_server; pcre:"/^(?:ba)?sh/"; content:"|3a 20|no|20|job|20|control|20|in|20|this|20|shell"; fast_pattern; within:30; reference:url,pentestmonkey.net/blog/post-exploitation-without-a-tty; reference:url,www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated; classtype:successful-admin; sid:2044751; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2023_03_23, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_23, reviewed_at 2024_01_26;)