alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE RuPSRAT Command Inbound (Download/Execute GoBayden)"; flow:established,to_client; dsize:<250; content:"powershell|20 2d|Command"; startswith; nocase; content:"|2e|dll|2c|gobayden|27 7d 22|"; endswith; fast_pattern; reference:md5,c6ef634779facf10516f0dd6d0d1757c; reference:url,x.com/JAMESWT_MHT/status/1862048169053364405; classtype:command-and-control; sid:2058116; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_12_06, deployment Perimeter, malware_family RuPSRAT, confidence High, signature_severity Critical, updated_at 2024_12_06;)