zeek/scripts/policy/frameworks/signatures/detect-windows-shells.sig

signature windows_reverse_shell {
  ip-proto == tcp
  tcp-state established,originator
  event "ATTACK-RESPONSES Microsoft cmd.exe banner (reverse-shell originator)"
  payload /.*Microsoft Windows.*\x28C\x29 Copyright 1985-.*Microsoft Corp/
}

signature windows_shell {
  ip-proto == tcp
  tcp-state established,responder
  event "ATTACK-RESPONSES Microsoft cmd.exe banner (normal-shell responder)"
  payload /.*Microsoft Windows.*\x28C\x29 Copyright 1985-.*Microsoft Corp/
}