alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [TW] EXPLOIT Possible MMC Remote Command Execution"; flow:established,to_client; flowbits:isset,TW.MS.MSIE7; http.stat_code; content:"200"; http.response_body; content:"<script"; nocase; content:"external.ExecuteShellCommand"; nocase; fast_pattern; distance:0; reference:md5,b510f48b9ac735a197093ad5fb99b0ee; classtype:bad-unknown; sid:2053706; rev:1; metadata:attack_target Client_and_Server, tls_state TLSEncrypt, created_at 2024_06_17, deployment Perimeter, deprecation_reason Performance, performance_impact Moderate, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:dest_ip;)