alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Suspicious Batch Script - Allow Inbound RDP Rule Set in Windows Firewall"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|0a|netsh"; nocase; content:"advfirewall|20|firewall|20|add|20|rule"; nocase; content:"|20|dir=in"; nocase; content:"|20|action=allow"; nocase; content:"|20|protocol=TCP"; nocase; content:"|20|localport=3389"; nocase; fast_pattern; pcre:"/^netsh(?:.*?(?:dir|action|protocol)=.*?){3}.*?localport=3389/mi"; classtype:misc-activity; sid:2058342; rev:1; metadata:attack_target Client_and_Server, created_at 2024_12_17, deployment Perimeter, deployment Internal, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_12_17;)