alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clickfix Style Post-Infection CnC Request (GET)"; flow:established,to_server; urilen:<9; http.method; content:"GET"; http.uri; pcre:"/^\x2f[0-9]{2,3}\x2ephp$/"; http.user_agent; content:"WindowsPowerShell/"; fast_pattern; http.header_names; content:!"|0d 0a|referer|0d 0a|"; nocase; content:!"|0d 0a|accept|0d 0a|"; nocase; http.connection; bsize:10; content:"Keep-Alive"; reference:md5,b82c0588e9ccc200f75789c10e54485c; reference:url,app.any.run/tasks/cc4fcfe7-7855-4ce9-82cb-f077bdd34af6; classtype:command-and-control; sid:2057788; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_11_22, deployment Perimeter, malware_family ClickFix, confidence Medium, signature_severity Critical, updated_at 2024_11_22;)