Techniques
Sample rules
Potential ClickFix Execution Pattern - Registry
- source: sigma
- technicques:
- t1204
- t1204.001
Description
Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, such as one-liners that execute remotely hosted malicious files or scripts.
Detection logic
condition: all of selection_*
selection_details:
Details|contains:
- http://
- https://
selection_registry:
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\
selection_susp_pattern:
- Details|contains:
- account
- anti-bot
- botcheck
- captcha
- challenge
- confirmation
- fraud
- human
- identificator
- identity
- robot
- validation
- verification
- verify
- Details|contains:
- '%comspec%'
- bitsadmin
- certutil
- cmd
- cscript
- curl
- mshta
- powershell
- pwsh
- regsvr32
- rundll32
- schtasks
- wget
- wscript