The ThreatFox: IClickFix IOCs rule detects potential adversary activity involving known malicious indicators associated with the IClickFix threat group, which is linked to credential theft and lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by this sophisticated threat actor.
IOC Summary
Malware Family: IClickFix Total IOCs: 166 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | healthycookinginwesternny.com | payload_delivery | 2026-06-26 | 75% |
| domain | healthypastadishes.net | payload_delivery | 2026-06-26 | 75% |
| domain | heartofuganda.com | payload_delivery | 2026-06-26 | 75% |
| domain | henieskinlab.com | payload_delivery | 2026-06-26 | 75% |
| domain | henleyevents.us | payload_delivery | 2026-06-26 | 75% |
| domain | herbpress.com | payload_delivery | 2026-06-26 | 75% |
| domain | hksoftltd.co.rw | payload_delivery | 2026-06-26 | 75% |
| domain | gtadirectwindowsdoors.ca | payload_delivery | 2026-06-26 | 75% |
| domain | gulshan2.com | payload_delivery | 2026-06-26 | 75% |
| domain | gustavomarval.com | payload_delivery | 2026-06-26 | 75% |
| domain | hafsataleemulquran.com | payload_delivery | 2026-06-26 | 75% |
| domain | halitesupply.us | payload_delivery | 2026-06-26 | 75% |
| domain | hananhaifa.com | payload_delivery | 2026-06-26 | 75% |
| domain | haramgateway.com | payload_delivery | 2026-06-26 | 75% |
| domain | hatcheryhillmhc.com | payload_delivery | 2026-06-26 | 75% |
| domain | gordontag.ru | payload_delivery | 2026-06-26 | 75% |
| domain | gpecc.com.vn | payload_delivery | 2026-06-26 | 75% |
| domain | gpnindonesia.com | payload_delivery | 2026-06-26 | 75% |
| domain | grameenlaboratoriesbd.com | payload_delivery | 2026-06-26 | 75% |
| domain | grandfitness.com | payload_delivery | 2026-06-26 | 75% |
| domain | greenbins.co.za | payload_delivery | 2026-06-26 | 75% |
| domain | greenhealthayurvedic.in | payload_delivery | 2026-06-26 | 75% |
| domain | greensboroautotransport.com | payload_delivery | 2026-06-26 | 75% |
| domain | greenwoodcontracting.com | payload_delivery | 2026-06-26 | 75% |
| domain | gridxi.com | payload_delivery | 2026-06-26 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - IClickFix
let malicious_domains = dynamic(["healthycookinginwesternny.com", "healthypastadishes.net", "heartofuganda.com", "henieskinlab.com", "henleyevents.us", "herbpress.com", "hksoftltd.co.rw", "gtadirectwindowsdoors.ca", "gulshan2.com", "gustavomarval.com", "hafsataleemulquran.com", "halitesupply.us", "hananhaifa.com", "haramgateway.com", "hatcheryhillmhc.com", "gordontag.ru", "gpecc.com.vn", "gpnindonesia.com", "grameenlaboratoriesbd.com", "grandfitness.com", "greenbins.co.za", "greenhealthayurvedic.in", "greensboroautotransport.com", "greenwoodcontracting.com", "gridxi.com", "groupe-alpages.com", "grupointerzenda.com", "global-newbusiness.com", "globalfacility.sk", "globalforumconsulting.com", "globalitn.com", "globaltech360.co.uk", "glowingsmiles.in", "gobernaciondebolivar.gob.ec", "goeazyfacilities.com", "golfkortetfortjejer.se", "googlegemini.com", "gamehit.id", "garagedoordesignandrepairnews.com", "gartelarxa.com", "gemscareer.com", "gentsgallerybd.com", "geocronos.cl", "friedlismarkthalle.ch", "frigoservicedumidi.com", "frontlinemakesafesandrepairs.com", "frugallifeathome.com", "fshistoricalsociety.org", "fswi.com", "funnypetsvideos.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using IClickFix for system maintenance
Filter/Exclusion: process.parent_process_name != "IClickFix" or process.parent_process_name contains "Task Scheduler"
Scenario: Admin using IClickFix to manage user permissions
Filter/Exclusion: process.user_name contains "admin" or process.user_name contains "domain_admin"
Scenario: IClickFix used in a DevOps pipeline for configuration management
Filter/Exclusion: process.command_line contains "CI/CD" or process.command_line contains "Jenkins"
Scenario: IClickFix being used as part of a legitimate endpoint security toolset
Filter/Exclusion: process.parent_process_name contains "endpoint_security" or process.parent_process_name contains "CrowdStrike"
Scenario: IClickFix invoked by a legitimate system update or patching tool
Filter/Exclusion: process.parent_process_name contains "Windows Update" or process.parent_process_name contains "WSUS"