feat(rules): Potential ClickFix infection via Run dialog

rabbitstack · rabbitstack · commit d87f913431e7 · 2025-04-04T21:27:07.000+02:00
Identifies the execution of the process via the Run command dialog box followed by a network connection. This could be indicative of the ClickFix deceptive tactic used by attackers to lure victims into executing malicious commands under the guise of meeting pages or CAPTCHAs.
diff --git a/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml b/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml
@@ -0,0 +1,49 @@
+name: Potential ClickFix infection chain via Run window
+id: ffe1fc54-2893-4760-ab50-51a83bd71d13
+version: 1.0.0
+description: |
+  Identifies the execution of the process via the Run command dialog box followed by spawning of the potential 
+  infostealer process. 
+  This could be indicative of the ClickFix deceptive tactic used by attackers to lure victims into executing 
+  malicious commands under the guise of meeting pages or CAPTCHAs.
+labels:
+  tactic.id: TA0001
+  tactic.name: Initial Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0001/
+  technique.id: T1566
+  technique.name: Phishing
+  technique.ref: https://attack.mitre.org/techniques/T1566/
+references:
+  - https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/
+  - https://blog.sekoia.io/clickfix-tactic-revenge-of-detection/
+  - https://detect.fyi/hunting-clickfix-initial-access-techniques-8c1b38d5ef9b
+
+condition: >
+  sequence
+  maxspan 2m
+    |spawn_process and ps.name ~= 'explorer.exe' and length(ps.child.args) >= 2
+      and
+     (thread.callstack.summary imatches 
+       (
+        'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*',
+        'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*'
+       )
+       or
+      (thread.callstack.summary imatches '*shell32.dll|explorer.exe|*' and thread.callstack.symbols imatches ('*shell32.dll!GetFileNameFromBrowse*'))
+     )
+    | by ps.child.uuid
+    |spawn_process and not ps.child.exe imatches 
+      (
+        '?:\\Program Files\\*.exe',
+        '?:\\Program Files (x86)\\*.exe',
+        '?:\\Windows\\System32\\*.exe'
+      )
+    | by ps.uuid
+action:
+  - name: kill
+
+output: >
+  Potential infostealer process %2.ps.child.exe executed via the Run command window by %1.ps.child.cmdline
+severity: high
+
+min-engine-version: 2.2.0
