feat(rules): Potential ClickFix infection via Run dialog

rabbitstack · rabbitstack · commit 6cebc6a0c233 · 2025-03-24T21:23:56.000+01:00
Identifies the execution of the process via Run command dialog box followed by a network connection.
This could be indicative of ClickFix deceptive tactic used by attackers to lure victims into executing malicious commands under the guise of meeting pages or CAPTCHAs.
diff --git a/rules/initial_access_potential_clickfix_infection_via_run_dialog.yml b/rules/initial_access_potential_clickfix_infection_via_run_dialog.yml
@@ -0,0 +1,39 @@
+name: Potential ClickFix infection via Run dialog
+id: ffe1fc54-2893-4760-ab50-51a83bd71d13
+version: 1.0.0
+description: |
+  Identifies the execution of the process via Run command dialog box followed by a network connection.
+  This could be indicative of ClickFix deceptive tactic used by attackers to lure victims into executing 
+  malicious commands under the guise of meeting pages or CAPTCHAs.
+labels:
+  tactic.id: TA0001
+  tactic.name: Initial Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0001/
+  technique.id: T1566
+  technique.name: Phishing
+  technique.ref: https://attack.mitre.org/techniques/T1566/
+references:
+  - https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/
+  - https://blog.sekoia.io/clickfix-tactic-revenge-of-detection/
+  - https://detect.fyi/hunting-clickfix-initial-access-techniques-8c1b38d5ef9b
+
+condition: >
+  sequence
+  maxspan 2m
+    |spawn_process and ps.name ~= 'explorer.exe' and length(ps.child.args) >= 2
+      and
+     thread.callstack.summary imatches 
+      (
+        'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*',
+        'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*'
+      )
+    | by ps.child.uuid
+    |connect_socket and not cidr_contains(net.dip, '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16')| by ps.uuid
+action:
+  - name: kill
+
+output: >
+  Process %1.ps.child.exe executed via Run dialog and subsequently connected to the IP address %2.net.dip
+severity: high
+
+min-engine-version: 2.2.0
