alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed ClickFix Powershell Delivery Page Inbound"; flow:established,to_client; content:"not|20|a|20|robot"; content:"Windows|20|Key"; nocase; content:"|3c|b|3e|Ctrl|3c 2f|b|3e 20 2b 20 3c|b|3e|V|3c 2f|b|3e|"; distance:0; nocase; fast_pattern; content:"Press|20 3c|b|3e|Enter|3c 2f|b|3e|"; nocase; reference:url,app.any.run/tasks/754d532a-a5b9-4a56-8fe6-43a7cf212fda; classtype:trojan-activity; sid:2058473; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_12_23, deployment Perimeter, deployment SSLDecrypt, malware_family ClickFix, confidence High, signature_severity Major, updated_at 2024_12_23; target:src_ip;)