alert http any any -> any any (msg:"SHELL [PTsecurity] CobaltStrike"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/uploads/"; content:".jpg?timestamp="; distance:0; http.header; content:"Accept-Encoding: gzip"; content:"User-Agent: ixwebsocket"; content:"windows ssl"; content:"Content-Type: application/x-www-form-urlencoded"; reference:url, https://www.virustotal.com/gui/file/bd3e5af30087dc60849da000412fb719825c7e06e4f75639b95f188407d26f96/detection; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10011361; rev:3;)