curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

page(threat-hunting): ClickFix detection

This commit is contained in:
Ming Di Leom 2025-03-29 07:35:17 +00:00
parent db84c03325
commit 3fa8c33ea5
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
source/threat-hunting/index.md
View File

@ -387,6 +387,20 @@ SPL:
| table Time, index, host, EventCode, EventDescription, parent_process, parent_process_path, process, user, Name, Email
```
## ClickFix detection
Description: Detecting ClickFix execution via the Windows Run dialog.
References: [1](https://detect.fyi/hunting-clickfix-initial-access-techniques-8c1b38d5ef9b), [2](https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn), [3](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/), [4](https://research.splunk.com/endpoint/a15aa1ab-2b79-467f-8201-65e0f32d5b1a/)
SPL:
```spl
| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Registry WHERE Registry.registry_key_name="*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" Registry.registry_value_data IN ("*powershell*", "*pwsh*", "*cmd*", "*mshta*") (Registry.registry_value_data IN ("*start-process*", "*hidden*", "*command*", "*bypass*", "*new-object*", "*http*", "*invoke*", "*iex*", "*-exec*", "*verification*", "*classname*", "*cimmethod*", "*methodname*", "*win32_process*", "*system.diagnostics.process*", "*system.management.automation*", "*Reflection.Assembly*", "*FromBase64String*", "*import-module*", "*add-type*", "*webclient*") OR Registry.registry_value_data IN ("*http*", "*javascript:*", "*verification*", "*eval*", "*.js*", "*.vbs*", "*.hta*", "*.bat*")) NOT Registry.registry_key_name="*\\MRUList" BY Registry.dest, Registry.registry_value_data, Registry.action, Registry.process_guid, Registry.process_id, Registry.registry_key_name, Registry.user
| rename Registry.* AS *
| where len(registry_value_data) >= 50
| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S %z")
| lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name, mail AS Email
```
## dllFake IoC
References: [1](https://redcanary.com/blog/threat-intelligence/intelligence-insights-july-2024/)