Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ClickFix Obfuscated Payload Inbound"; flow:established,to_client; http.response_body; content:"SUhOMFpYQnpPaUJ"; content:"YjNCNVFuVjBkRzl1T2lBaVEyOXdlU0JtYVhn"; distance:0; fast_pattern; reference:url,proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn; classtype:trojan-activity; sid:2053775; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_06_20, deployment Perimeter, deployment SSLDecrypt, malware_family ClickFix, confidence High, signature_severity Major, tag compromised_website, updated_at 2024_06_20, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)