alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE ClickFix Related Payload Inbound"; flow:established,to_client; http.response_body; bsize:<2048; content:!"|3c 21|DOCTYPE|20|html|3e|"; content:!"<title>"; content:"var|20|s|20 3d 20|document|2e|createElement|28 27|script|27 29 3b 20|s|2e|src|20 3d 20|"; fast_pattern; content:"document|2e|getElementsByTagName|28 27|head|27 29 5b|0|5d 2e|appendChild|28|s|29 3b|"; reference:url,urlscan.io/result/019609bd-9c94-773f-b3b6-eca6c74ca38e/dom/; classtype:trojan-activity; sid:2061865; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_04_24, deployment Perimeter, deployment SSLDecrypt, malware_family ClickFix, confidence Medium, signature_severity Major, updated_at 2025_04_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer; target:dest_ip;)