alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Captcha Page Containing Powershell Inbound"; flow:established,to_client; http.response_body; content:"|3c|div|20|class|3d 22|captcha|2d|popup|22|"; content:"Windows|20|Key"; content:"var|20|copyText|20 3d 20 22|powershell"; fast_pattern; reference:url,x.com/g0njxa/status/1834326261545529391; classtype:command-and-control; sid:2055846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_09_13, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2024_09_13;)