Skip to content

feat(rules): New Potential ClickFix infection chain via Run window rule #470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rabbitstack merged 1 commit into from
Apr 4, 2025
Merged

feat(rules): New Potential ClickFix infection chain via Run window rule #470

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: Potential ClickFix infection chain via Run window
id: ffe1fc54-2893-4760-ab50-51a83bd71d13
version: 1.0.0
description: |
Identifies the execution of the process via the Run command dialog box followed by spawning of the potential
infostealer process.
This could be indicative of the ClickFix deceptive tactic used by attackers to lure victims into executing
malicious commands under the guise of meeting pages or CAPTCHAs.
labels:
tactic.id: TA0001
tactic.name: Initial Access
tactic.ref: https://attack.mitre.org/tactics/TA0001/
technique.id: T1566
technique.name: Phishing
technique.ref: https://attack.mitre.org/techniques/T1566/
references:
- https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/
- https://blog.sekoia.io/clickfix-tactic-revenge-of-detection/
- https://detect.fyi/hunting-clickfix-initial-access-techniques-8c1b38d5ef9b

condition: >
sequence
maxspan 2m
|spawn_process and ps.name ~= 'explorer.exe' and length(ps.child.args) >= 2
and
(thread.callstack.summary imatches
(
'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*',
'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*'
)
or
(thread.callstack.summary imatches '*shell32.dll|explorer.exe|*' and thread.callstack.symbols imatches ('*shell32.dll!GetFileNameFromBrowse*'))
)
| by ps.child.uuid
|spawn_process and not ps.child.exe imatches
(
'?:\\Program Files\\*.exe',
'?:\\Program Files (x86)\\*.exe',
'?:\\Windows\\System32\\*.exe'
)
| by ps.uuid
action:
- name: kill

output: >
Potential infostealer process %2.ps.child.exe executed via the Run command window by %1.ps.child.cmdline
severity: high

min-engine-version: 2.2.0