alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ASPXSPY - Manic Menagerie Variant Activity M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx"; endswith; http.cookie; content:"Backdoor="; pcre:"/^[a-f0-9]{32}/R"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22 5f 5f|EVENTTARGET|22 0d 0a 0d 0a|Bin_"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22 5f 5f|FILE|22 0d 0a 0d 0a|"; reference:md5,2ef7bb0d9763cf38977182d65173d1b0; reference:url,unit42.paloaltonetworks.com/manic-menagerie-targets-web-hosting-and-it/; classtype:trojan-activity; sid:2046753; rev:1; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2023_07_07, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_07_07;)