Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns an
title: Potential ClickFix Execution Pattern - Registry
id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
related:
- id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
type: similar
status: experimental
description: |
Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
such as one-liners that execute remotely hosted malicious files or scripts.
references:
- https://github.com/JohnHammond/recaptcha-phish
- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
- https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724
- https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
- https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493
- https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-25
modified: 2025-11-19
tags:
- attack.execution
- attack.t1204.001
logsource:
category: registry_set
product: windows
detection:
selection_registry:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
selection_details:
Details|contains:
- 'http://'
- 'https://'
selection_susp_pattern:
- Details|contains:
# Add more suspicious keywords
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
- Details|contains:
- '%comspec%'
- 'bitsadmin'
- 'certutil'
- 'cmd'
- 'cscript'
- 'curl'
- 'finger'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'schtasks'
- 'wget'
- 'wscript'
condition: all of selection_*
falsepositives:
- Legitimate applications using RunMRU with HTTP links
level: high
imRegistry
| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" and (RegistryValueData contains "http://" or RegistryValueData contains "https://") and ((RegistryValueData contains "account" or RegistryValueData contains "anti-bot" or RegistryValueData contains "botcheck" or RegistryValueData contains "captcha" or RegistryValueData contains "challenge" or RegistryValueData contains "confirmation" or RegistryValueData contains "fraud" or RegistryValueData contains "human" or RegistryValueData contains "identification" or RegistryValueData contains "identificator" or RegistryValueData contains "identity" or RegistryValueData contains "robot" or RegistryValueData contains "validation" or RegistryValueData contains "verification" or RegistryValueData contains "verify") or (RegistryValueData contains "%comspec%" or RegistryValueData contains "bitsadmin" or RegistryValueData contains "certutil" or RegistryValueData contains "cmd" or RegistryValueData contains "cscript" or RegistryValueData contains "curl" or RegistryValueData contains "finger" or RegistryValueData contains "mshta" or RegistryValueData contains "powershell" or RegistryValueData contains "pwsh" or RegistryValueData contains "regsvr32" or RegistryValueData contains "rundll32" or RegistryValueData contains "schtasks" or RegistryValueData contains "wget" or RegistryValueData contains "wscript"))DeviceRegistryEvents
| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" and (RegistryValueData contains "http://" or RegistryValueData contains "https://") and ((RegistryValueData contains "account" or RegistryValueData contains "anti-bot" or RegistryValueData contains "botcheck" or RegistryValueData contains "captcha" or RegistryValueData contains "challenge" or RegistryValueData contains "confirmation" or RegistryValueData contains "fraud" or RegistryValueData contains "human" or RegistryValueData contains "identification" or RegistryValueData contains "identificator" or RegistryValueData contains "identity" or RegistryValueData contains "robot" or RegistryValueData contains "validation" or RegistryValueData contains "verification" or RegistryValueData contains "verify") or (RegistryValueData contains "%comspec%" or RegistryValueData contains "bitsadmin" or RegistryValueData contains "certutil" or RegistryValueData contains "cmd" or RegistryValueData contains "cscript" or RegistryValueData contains "curl" or RegistryValueData contains "finger" or RegistryValueData contains "mshta" or RegistryValueData contains "powershell" or RegistryValueData contains "pwsh" or RegistryValueData contains "regsvr32" or RegistryValueData contains "rundll32" or RegistryValueData contains "schtasks" or RegistryValueData contains "wget" or RegistryValueData contains "wscript"))| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |