Potential ClickFix Execution Pattern - Registry

rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml

@@ -0,0 +1,49 @@
+title: Potential ClickFix Execution Pattern - Registry
+id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
+status: experimental
+description: |
+    Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
+    ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
+    Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
+    such as one-liners that execute remotely hosted malicious files or scripts.
+references:
+    - https://github.com/JohnHammond/recaptcha-phish
+    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
+    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
+    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
+    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-03-25
+tags:
+    - attack.execution
+    - attack.t1204.001
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection_registry:
+        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
+    selection_details:
+        - Details|contains:
+            # More generic detection
+              - 'http://'
+              - 'https://'
+        - Details|contains:
+              # Add more suspicious keyword
+              - 'account'
+              - 'anti-bot'
+              - 'botcheck'
+              - 'captcha'
+              - 'challenge'
+              - 'confirmation'
+              - 'fraud'
+              - 'human'
+              - 'identity'
+              - 'robot'
+              - 'validation'
+              - 'verification'
+              - 'verify'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate applications using RunMRU with HTTP links
+level: high