alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE LNK/Sherlock Stealer Payload Inbound"; flow:established,to_client; http.response_body; content:"|22|cmd|22 27 27|debts|2c 20|if|20|we|20|do|20|nothing|20|more|2e|"; fast_pattern; content:"GetObject|28 22|winmgmts|3a 5c 5c 2e 5c|root|5c|cimv2|22 29 27 27|"; content:"|3d 22|WINHTTP|2e|WinHTTPRequest"; reference:md5,104765f3f4ea0c1f03fbded432d9a6b8; reference:url,twitter.com/naumovax/status/1709967135139672194; classtype:trojan-activity; sid:2048463; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_10_05, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_05;)