This detection rule identifies patterns related to the usage of the Empire framework, specifically targeting the user agent string and URI paths commonly utilized by its agents during command-and-control operations. It is designed to analyze traffic passing through proxy logs and flag any instances where the user agent matches a specific version of Internet Explorer (Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko) along with a list of URI paths that are indicative of Empire activity (e.g., /admin/get.php, /news.php, /login/process.php). The detection leverages a POST method for requests, acknowledging that this type of interaction can often be part of malicious activities aligning with defense evasion and command-and-control strategies. Given its focus on a narrow set of indicators, it may generate false positives when legitimate requests occur using the same user agent and URIs.