alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Supershell C2 Login Page"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|title|3e|Supershell|20 2d 20 e7 99 bb e5 bd 95 3c 2f|title|3e|"; distance:0; fast_pattern; content:"|22|javascript|3a|show|5f|password|28 29 3b 22|"; distance:0; content:"onclick|3d 22|login|28 29 3b 22|"; distance:0; content:"login_enter_listen()"; distance:0; reference:url,github.com/tdragon6/Supershell; reference:url,urlscan.io/result/2361de43-82dc-4d3b-84a8-5449331ad348; classtype:command-and-control; sid:2058131; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_12_07, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag c2, updated_at 2024_12_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)