This rule is designed to detect attempts to exploit a critical vulnerability known as OMIGOD (CVE-2021-38647) which allows remote code execution (RCE) through unauthenticated HTTP requests to the OMI (Open Management Infrastructure) service. When successfully exploited, attackers can issue commands as root, posing significant security risks. The rule monitors HTTP POST requests specifically targeting the '/wsman' endpoint, checking for response status codes of 200 (indicating a successful response). It ensures there are no authentication headers present and that the request body is not trivially small (i.e., greater than zero), which would imply the likelihood of code execution. Investigators should analyze the contents of the request body and correlate this with logs to identify any suspicious activity or commands that may have been executed. To implement this detection, the built-in Zeek script for logging HTTP header names should be enabled. This rule aims to capture successful exploitation attempts while giving suggestions for manual investigation in case threats are detected.