From dd336c6592405ff57b5414a15966e1feff685435 Mon Sep 17 00:00:00 2001
From: swachchhanda000 <swachchhandashrawan@gmail.com>
Date: Tue, 25 Mar 2025 12:18:38 +0545
Subject: [PATCH 1/3] add clickfix registry related rule

---
 ...istry_set_potential_clickfix_execution.yml | 47 +++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml

diff --git a/rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml b/rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml
new file mode 100644
index 00000000000..50c194e0301
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml
@@ -0,0 +1,47 @@
+title: Potential ClickFix Execution Pattern - Registry
+id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
+status: experimental
+description: |
+    Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
+    ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
+references:
+    - https://github.com/JohnHammond/recaptcha-phish
+    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
+    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
+    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
+    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-03-25
+tags:
+    - attack.execution
+    - attack.t1204.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection_registry:
+        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
+    selection_details:
+        - Details|contains:
+            # More generic detection
+              - 'http://'
+              - 'https://'
+        - Details|contains:
+              # Add more suspicious keyword
+              - 'account'
+              - 'anti-bot'
+              - 'botcheck'
+              - 'captcha'
+              - 'challenge'
+              - 'confirmation'
+              - 'fraud'
+              - 'human'
+              - 'identity'
+              - 'robot'
+              - 'validation'
+              - 'verification'
+              - 'verify'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate applications using RunMRU with HTTP links
+level: high

From 6032388a8c6949f6ba5d1cb5f7b5dea838c63bcc Mon Sep 17 00:00:00 2001
From: swachchhanda000 <swachchhandashrawan@gmail.com>
Date: Tue, 25 Mar 2025 12:23:29 +0545
Subject: [PATCH 2/3] description extended

---
 .../registry_set/registry_set_potential_clickfix_execution.yml  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml b/rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml
index 50c194e0301..269e8dcb7cc 100644
--- a/rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml
+++ b/rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml
@@ -4,6 +4,8 @@ status: experimental
 description: |
     Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
     ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
+    Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
+    such as one-liners that execute remotely hosted malicious files or scripts.
 references:
     - https://github.com/JohnHammond/recaptcha-phish
     - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware

From fe7cdf8c49bd14f9b80df9b2c065ad562679c74a Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Thu, 27 Mar 2025 16:58:57 +0545
Subject: [PATCH 3/3] Update
 rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 .../registry_set/registry_set_potential_clickfix_execution.yml   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml b/rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml
index 269e8dcb7cc..8be76a547cd 100644
--- a/rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml
+++ b/rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml
@@ -12,6 +12,7 @@ references:
     - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
     - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
     - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
+    - https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724
 author: Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2025-03-25
 tags: