alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE [PTsecurity] PowerShell Empire stager receive over HTTP"; flow:established, to_client; content:"200"; http_stat_code; content:"If($PSVersionTable.PSVersion.Major -ge 3){"; http_server_body; nocase; depth:1000; content:"$GPS=[ref].Assembly.GetType("; http_server_body; nocase; within:100; content:"System.Management.Automation.Utils"; http_server_body; within:100; threshold:type limit, track by_src, count 1, seconds 30; classtype:trojan-activity; metadata:created_at 2017_11_22; reference:url, github.com/ptresearch/AttackDetection; sid:10002269; rev:1;)