alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected HrServ Webshell Related Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/FC4B97EB-2965-4A3B-8BAD-B8172DE25520/"; startswith; fast_pattern; content:"&cp="; distance:0; pcre:"/^[0247]/R"; content:"&client="; within:8; content:"&xssi="; distance:0; content:"&hl="; distance:0; content:"&authuser="; distance:0; content:"&pq="; distance:0; reference:url,securelist.com/hrserv-apt-web-shell/111119/; reference:md5,d0fe27865ab271963e27973e81b77bae; classtype:trojan-activity; sid:2050028; rev:1; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2024_01_12, deployment Perimeter, confidence Medium, signature_severity Major, tag WebShell, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component; target:dest_ip;)