alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed JavaScript Event Listener with Clipboard Data"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<script>"; content:"addEventListener|28 27|copy|27|"; distance:0; content:"clipboardData|2e|setData|28 27|text|2f|plain|27|"; fast_pattern; distance:0; content:"sh"; distance:0; content:"|5c|n"; distance:0; content:"</script>"; distance:0; reference:url,www.bleepingcomputer.com/news/security/dont-copy-paste-commands-from-webpages-you-can-get-hacked; classtype:web-application-activity; sid:2034860; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_01_07;)