alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE [PTsecurity] PowerShell Empire Request HTTP Pattern"; flow:established, to_server; content:"POST"; http_method; content:"HTTP/1.1|0d0a|Cookie: session="; depth:1000; fast_pattern; content:"=|0d0a|User-Agent: "; distance:27; within:400; content:"Host: "; within:400; content:"Content-Length: 462|0d0a|"; within:400; content:!"Referer|3a|"; http_header; content:!"Content-Type: "; http_header; classtype:trojan-activity; metadata:created_at 2017_11_21; reference:url, github.com/ptresearch/AttackDetection; sid:10002268; rev:2;)