From 2596e382316948e6a1b50c0b59aa2d58d51a9e3b Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Tue, 25 Mar 2025 20:06:34 +0100 Subject: [PATCH] feat(rules): Potential ClickFix infection via Run dialog Identifies the execution of the process via the Run command dialog box followed by a network connection. This could be indicative of the ClickFix deceptive tactic used by attackers to lure victims into executing malicious commands under the guise of meeting pages or CAPTCHAs. --- ...lickfix_infection_chain_via_run_window.yml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml diff --git a/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml b/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml new file mode 100644 index 000000000..2880d1ffd --- /dev/null +++ b/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml @@ -0,0 +1,49 @@ +name: Potential ClickFix infection chain via Run window +id: ffe1fc54-2893-4760-ab50-51a83bd71d13 +version: 1.0.0 +description: | + Identifies the execution of the process via the Run command dialog box followed by spawning of the potential + infostealer process. + This could be indicative of the ClickFix deceptive tactic used by attackers to lure victims into executing + malicious commands under the guise of meeting pages or CAPTCHAs. +labels: + tactic.id: TA0001 + tactic.name: Initial Access + tactic.ref: https://attack.mitre.org/tactics/TA0001/ + technique.id: T1566 + technique.name: Phishing + technique.ref: https://attack.mitre.org/techniques/T1566/ +references: + - https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ + - https://blog.sekoia.io/clickfix-tactic-revenge-of-detection/ + - https://detect.fyi/hunting-clickfix-initial-access-techniques-8c1b38d5ef9b + +condition: > + sequence + maxspan 2m + |spawn_process and ps.name ~= 'explorer.exe' and length(ps.child.args) >= 2 + and + (thread.callstack.summary imatches + ( + 'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*', + 'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*' + ) + or + (thread.callstack.summary imatches '*shell32.dll|explorer.exe|*' and thread.callstack.symbols imatches ('*shell32.dll!GetFileNameFromBrowse*')) + ) + | by ps.child.uuid + |spawn_process and not ps.child.exe imatches + ( + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe', + '?:\\Windows\\System32\\*.exe' + ) + | by ps.uuid +action: + - name: kill + +output: > + Potential infostealer process %2.ps.child.exe executed via the Run command window by %1.ps.child.cmdline +severity: high + +min-engine-version: 2.2.0