alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Nemesis Admin Panel Inbound"; flow:established,to_client; http.response_body; content:"href|3d 22|Nemmisis|5f|login|5f|files|2f|"; fast_pattern; content:"|3c|title|3e|Log|20|in|3c 2f|title|3e|"; content:"|20|placeholder|3d 22|Username|22|"; content:"placeholder|3d 22|Password|22|"; reference:url,twitter.com/TLP_R3D/status/1647632354926534657; classtype:trojan-activity; sid:2045038; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_04_18, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Nemesis, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_18;)