alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Request for Webshell in .well-known directory"; flow:established,to_server; http.uri; content:"/.well-known/"; fast_pattern; startswith; pcre:"/^.*?\x2e(?:php|cfm|cgi|asp|aspx|jsp|rb|sh|p[yl])/R"; http.user_agent; content:!"let|27|s encrypt validation server"; nocase; reference:url,url,isc.sans.edu/diary/32320; classtype:misc-attack; sid:2064917; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, tls_state plaintext, created_at 2025_09_25, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_02_18, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1567, mitre_technique_name Exfiltration_Over_Web_Service; target:dest_ip;)