alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP Request to transfer .sh via Powershell"; flow:established,to_server; http.method; content:"GET"; http.host; content:"transfer.sh"; startswith; http.user_agent; content:"WindowsPowerShell/"; fast_pattern; reference:md5,2c22fe7e29b78bd30abda6f9022c421d; classtype:bad-unknown; sid:2045269; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_05_01, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_01;)