curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

fix(clickfix-detect): update fields

This commit is contained in:
Ming Di Leom 2025-05-20 08:45:34 +00:00
parent 80239ea808
commit 16e9e6ac56
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
source/threat-hunting/index.md
View File

@ -404,7 +404,7 @@ References: [1](https://detect.fyi/hunting-clickfix-initial-access-techniques-8c
SPL:
```spl
| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Registry WHERE index="windows" Registry.registry_key_name="*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" Registry.registry_value_data IN ("*powershell*", "*pwsh*", "*cmd*", "*mshta*") (Registry.registry_value_data IN ("*start-process*", "*hidden*", "*command*", "*bypass*", "*new-object*", "*http*", "*invoke*", "*iex*", "*-exec*", "*verification*", "*classname*", "*cimmethod*", "*methodname*", "*win32_process*", "*system.diagnostics.process*", "*system.management.automation*", "*Reflection.Assembly*", "*FromBase64String*", "*import-module*", "*add-type*", "*webclient*") OR Registry.registry_value_data IN ("*http*", "*javascript:*", "*verification*", "*eval*", "*.js*", "*.vbs*", "*.hta*", "*.bat*")) NOT Registry.registry_key_name="*\\MRUList" BY Registry.dest, Registry.registry_value_data, Registry.action, Registry.process_guid, Registry.process_id, Registry.registry_key_name, Registry.user
| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Registry WHERE index="windows" Registry.registry_path="*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" Registry.registry_value_data IN ("*powershell*", "*pwsh*", "*cmd*", "*mshta*") (Registry.registry_value_data IN ("*start-process*", "*hidden*", "*command*", "*bypass*", "*new-object*", "*http*", "*invoke*", "*iex*", "*-exec*", "*verification*", "*classname*", "*cimmethod*", "*methodname*", "*win32_process*", "*system.diagnostics.process*", "*system.management.automation*", "*Reflection.Assembly*", "*FromBase64String*", "*import-module*", "*add-type*", "*webclient*") OR Registry.registry_value_data IN ("*http*", "*javascript:*", "*verification*", "*eval*", "*.js*", "*.vbs*", "*.hta*", "*.bat*")) NOT Registry.registry_value_name="MRUList" BY Registry.dest, Registry.registry_path, Registry.registry_value_name, Registry.registry_value_data, Registry.action, Registry.process_guid, Registry.process_id, Registry.user
| rename Registry.* AS *
| where len(registry_value_data) >= 50
| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S %z")