alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"TOOLS [PTsecurity] Empire"; flow:established, to_client; content:"200"; http_stat_code; content:"If($PSVersionTable.PSVersion.Major -ge 3){"; http_server_body; nocase; depth:1000; content:"$GPS=[ref].Assembly.GetType("; http_server_body; nocase; within:100; content:"System.Management.Automation.Utils"; http_server_body; within:100; reference:url, https://www.hybrid-analysis.com/sample/cbf244479304572782de8ab375671da632012777c7bcf0b0e252958bff03dca4/?environmentId=100; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10002269; rev:7;)