alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Agrius Group ASPXSpy Webshell Connection Inbound M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx"; endswith; http.cookie; content:"auth=a9cf6f3aaae163d7bf0cab956257eeb5ec8ab411007b552264fdebfb65c59bb6"; fast_pattern; content:"passwd=afb3410722da93d4fd63372e147456fd0630e09a241cb78be48a05295c853ab2"; reference:url,unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/; classtype:trojan-activity; sid:2049902; rev:1; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2024_01_03, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_01_03; target:dest_ip;)