feat: add ClickFix TTP (Verbose) as separate rule, restore original Clickfix TTP detected

LasCC · LasCC · commit 22a68a55735c · 2026-04-17T18:25:12.000-04:00
diff --git a/s1_powerquery_hunting.json b/s1_powerquery_hunting.json
@@ -7,6 +7,11 @@
     {
         "category": "Execution & TTPs",
         "name": "Clickfix TTP detected",
+        "query": "((src.process.name contains:anycase (\"powershell.exe\", \"cmd.exe\") and tgt.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \") and tgt.process.cmdline contains:anycase \"http\") OR (src.process.parent.name = \"explorer.exe\" and src.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \",\"irm \") and src.process.cmdline contains:anycase \"http\") OR src.process.cmdline contains:anycase (\"iex(irm\", \"iex(iwr\",\"|iex\", \"| iex\", \").Content\", \"[ScriptBlock]::Create\", \"gal i?x\", \"gal i*x\", \"gcm i?x\", \"gcm i*x\") OR (src.process.cmdline contains:anycase \"UTF8.GetString\" AND src.process.cmdline contains:anycase (\"New-Object byte[\", \"[byte]('0x\"))) NOT (tgt.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \") OR src.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \"))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, event.dns.request\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, event.dns.request, Count\n| sort -Count\n| limit 100000"
+    },
+    {
+        "category": "Execution & TTPs",
+        "name": "ClickFix TTP (Verbose)",
         "query": "((src.process.name contains:anycase (\"powershell.exe\", \"pwsh.exe\", \"cmd.exe\") and tgt.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"-w hidden\",\"-windowstyle h\",\"-nop \",\"-noprofile\",\"-ep bypass\",\"-executionpolicy bypass\",\"-exec bypass\",\"-enc \",\"-encodedcommand\",\"/c curl \",\"curl.exe \",\"curl -o\",\"iex \",\"iwr \",\"irm \",\"msiexec \",\"bitsadmin /transfer\",\"bitsadmin /create\",\"Start-BitsTransfer\",\"certutil -urlcache\",\"certutil -decode\",\"certutil.exe -urlcache\",\"certutil.exe -decode\",\"regsvr32 /s\",\"scrobj.dll\",\"SyncAppvPublishingServer\",\"Microsoft.XMLHTTP\",\"MSXML2.XMLHTTP\",\"WinHttp.WinHttpRequest\",\"Net.WebClient\",\"DownloadString\",\"DownloadFile\",\"Invoke-RestMethod\",\"Invoke-WebRequest\",\"FromBase64String\",\"net use \",\"conhost --headless\",\"conhost.exe --headless\",\"wmic product call\",\"hta:\") and tgt.process.cmdline contains:anycase \"http\") OR (src.process.parent.name = \"explorer.exe\" and src.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"-w hidden\",\"-windowstyle h\",\"-nop \",\"-noprofile\",\"-ep bypass\",\"-executionpolicy bypass\",\"-exec bypass\",\"-enc \",\"-encodedcommand\",\"/c curl \",\"curl.exe \",\"curl -o\",\"iex \",\"iwr \",\"irm \",\"msiexec \",\"bitsadmin /transfer\",\"bitsadmin /create\",\"Start-BitsTransfer\",\"certutil -urlcache\",\"certutil -decode\",\"certutil.exe -urlcache\",\"certutil.exe -decode\",\"regsvr32 /s\",\"scrobj.dll\",\"SyncAppvPublishingServer\",\"Microsoft.XMLHTTP\",\"MSXML2.XMLHTTP\",\"WinHttp.WinHttpRequest\",\"Net.WebClient\",\"DownloadString\",\"DownloadFile\",\"Invoke-RestMethod\",\"Invoke-WebRequest\",\"FromBase64String\",\"net use \",\"conhost --headless\",\"conhost.exe --headless\",\"wmic product call\",\"hta:\") and src.process.cmdline contains:anycase \"http\") OR (src.process.parent.name contains:anycase (\"chrome.exe\",\"msedge.exe\",\"firefox.exe\",\"brave.exe\",\"opera.exe\",\"arc.exe\",\"vivaldi.exe\") and src.process.name contains:anycase (\"powershell.exe\",\"pwsh.exe\",\"cmd.exe\",\"mshta.exe\",\"bitsadmin.exe\",\"certutil.exe\",\"regsvr32.exe\",\"rundll32.exe\",\"wscript.exe\",\"cscript.exe\",\"conhost.exe\",\"finger.exe\") and src.process.cmdline contains:anycase (\"#\",\"iex \",\"irm \",\"iwr \",\"mshta\",\"msiexec\",\"rundll32\",\"bitsadmin\",\"certutil\",\"hta:\",\"-w h\",\"-w hidden\",\"-w 1\",\"-windowstyle h\",\"-nop \",\"-ep bypass\",\"-executionpolicy bypass\",\"-exec bypass\",\"-enc \",\"-encodedcommand\",\"DownloadString\",\"FromBase64String\",\"Invoke-RestMethod\",\"Invoke-WebRequest\",\"Start-BitsTransfer\",\"Microsoft.XMLHTTP\",\"WinHttp.WinHttpRequest\",\"Net.WebClient\",\"conhost --headless\",\"net use \",\"SyncAppvPublishingServer\")) OR src.process.cmdline contains:anycase (\"iex(irm\", \"iex(iwr\",\"|iex\", \"| iex\", \").Content\", \"[ScriptBlock]::Create\", \"gal i?x\", \"gal i*x\", \"gcm i?x\", \"gcm i*x\",\"(Get-Clipboard)|iex\",\"(Get-Clipboard) | iex\",\"Get-Clipboard | iex\",\"SyncAppvPublishingServer\") OR (src.process.cmdline contains:anycase \"UTF8.GetString\" AND src.process.cmdline contains:anycase (\"New-Object byte[\", \"[byte]('0x\")) OR (src.process.name contains:anycase \"rundll32.exe\" AND src.process.cmdline contains:anycase ('@80\\\\','@443\\\\','@8080\\\\','@8443\\\\')) OR (src.process.name contains:anycase \"finger.exe\" AND src.process.parent.name contains:anycase (\"explorer.exe\",\"cmd.exe\",\"powershell.exe\",\"pwsh.exe\") AND src.process.cmdline contains:anycase \"@\") OR (src.process.name contains:anycase \"nslookup.exe\" AND src.process.parent.name contains:anycase (\"explorer.exe\",\"cmd.exe\",\"powershell.exe\",\"pwsh.exe\") AND src.process.cmdline contains:anycase (\"-q=txt\",\"-type=txt\",\"-qtype=txt\",\"-querytype=txt\")) OR (src.process.name contains:anycase \"wmic.exe\" AND src.process.cmdline contains:anycase \"product call install\" AND src.process.cmdline contains:anycase \"http\")) NOT (tgt.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \",\"get.scoop.sh\",\"win.rustup.rs\",\"install.python-poetry.org\") OR src.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \",\"get.scoop.sh\",\"win.rustup.rs\",\"install.python-poetry.org\"))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, event.dns.request\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, event.dns.request, Count\n| sort -Count\n| limit 100000"
     },
     {

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,11 @@`
`7`	`7`	`{`
`8`	`8`	`"category": "Execution & TTPs",`
`9`	`9`	`"name": "Clickfix TTP detected",`
	`10`	+ "query": "((src.process.name contains:anycase (\"powershell.exe\", \"cmd.exe\") and tgt.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \") and tgt.process.cmdline contains:anycase \"http\") OR (src.process.parent.name = \"explorer.exe\" and src.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \",\"irm \") and src.process.cmdline contains:anycase \"http\") OR src.process.cmdline contains:anycase (\"iex(irm\", \"iex(iwr\",\"\|iex\", \"\| iex\", \").Content\", \"[ScriptBlock]::Create\", \"gal i?x\", \"gal ix\", \"gcm i?x\", \"gcm ix\") OR (src.process.cmdline contains:anycase \"UTF8.GetString\" AND src.process.cmdline contains:anycase (\"New-Object byte[\", \"[byte]('0x\"))) NOT (tgt.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \") OR src.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \"))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, event.dns.request\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, event.dns.request, Count\n\| sort -Count\n\| limit 100000"
	`11`	`+ },`
	`12`	`+ {`
	`13`	`+ "category": "Execution & TTPs",`
	`14`	`+ "name": "ClickFix TTP (Verbose)",`
`10`	`15`	"query": "((src.process.name contains:anycase (\"powershell.exe\", \"pwsh.exe\", \"cmd.exe\") and tgt.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"-w hidden\",\"-windowstyle h\",\"-nop \",\"-noprofile\",\"-ep bypass\",\"-executionpolicy bypass\",\"-exec bypass\",\"-enc \",\"-encodedcommand\",\"/c curl \",\"curl.exe \",\"curl -o\",\"iex \",\"iwr \",\"irm \",\"msiexec \",\"bitsadmin /transfer\",\"bitsadmin /create\",\"Start-BitsTransfer\",\"certutil -urlcache\",\"certutil -decode\",\"certutil.exe -urlcache\",\"certutil.exe -decode\",\"regsvr32 /s\",\"scrobj.dll\",\"SyncAppvPublishingServer\",\"Microsoft.XMLHTTP\",\"MSXML2.XMLHTTP\",\"WinHttp.WinHttpRequest\",\"Net.WebClient\",\"DownloadString\",\"DownloadFile\",\"Invoke-RestMethod\",\"Invoke-WebRequest\",\"FromBase64String\",\"net use \",\"conhost --headless\",\"conhost.exe --headless\",\"wmic product call\",\"hta:\") and tgt.process.cmdline contains:anycase \"http\") OR (src.process.parent.name = \"explorer.exe\" and src.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"-w hidden\",\"-windowstyle h\",\"-nop \",\"-noprofile\",\"-ep bypass\",\"-executionpolicy bypass\",\"-exec bypass\",\"-enc \",\"-encodedcommand\",\"/c curl \",\"curl.exe \",\"curl -o\",\"iex \",\"iwr \",\"irm \",\"msiexec \",\"bitsadmin /transfer\",\"bitsadmin /create\",\"Start-BitsTransfer\",\"certutil -urlcache\",\"certutil -decode\",\"certutil.exe -urlcache\",\"certutil.exe -decode\",\"regsvr32 /s\",\"scrobj.dll\",\"SyncAppvPublishingServer\",\"Microsoft.XMLHTTP\",\"MSXML2.XMLHTTP\",\"WinHttp.WinHttpRequest\",\"Net.WebClient\",\"DownloadString\",\"DownloadFile\",\"Invoke-RestMethod\",\"Invoke-WebRequest\",\"FromBase64String\",\"net use \",\"conhost --headless\",\"conhost.exe --headless\",\"wmic product call\",\"hta:\") and src.process.cmdline contains:anycase \"http\") OR (src.process.parent.name contains:anycase (\"chrome.exe\",\"msedge.exe\",\"firefox.exe\",\"brave.exe\",\"opera.exe\",\"arc.exe\",\"vivaldi.exe\") and src.process.name contains:anycase (\"powershell.exe\",\"pwsh.exe\",\"cmd.exe\",\"mshta.exe\",\"bitsadmin.exe\",\"certutil.exe\",\"regsvr32.exe\",\"rundll32.exe\",\"wscript.exe\",\"cscript.exe\",\"conhost.exe\",\"finger.exe\") and src.process.cmdline contains:anycase (\"#\",\"iex \",\"irm \",\"iwr \",\"mshta\",\"msiexec\",\"rundll32\",\"bitsadmin\",\"certutil\",\"hta:\",\"-w h\",\"-w hidden\",\"-w 1\",\"-windowstyle h\",\"-nop \",\"-ep bypass\",\"-executionpolicy bypass\",\"-exec bypass\",\"-enc \",\"-encodedcommand\",\"DownloadString\",\"FromBase64String\",\"Invoke-RestMethod\",\"Invoke-WebRequest\",\"Start-BitsTransfer\",\"Microsoft.XMLHTTP\",\"WinHttp.WinHttpRequest\",\"Net.WebClient\",\"conhost --headless\",\"net use \",\"SyncAppvPublishingServer\")) OR src.process.cmdline contains:anycase (\"iex(irm\", \"iex(iwr\",\"\|iex\", \"\| iex\", \").Content\", \"[ScriptBlock]::Create\", \"gal i?x\", \"gal ix\", \"gcm i?x\", \"gcm ix\",\"(Get-Clipboard)\|iex\",\"(Get-Clipboard) \| iex\",\"Get-Clipboard \| iex\",\"SyncAppvPublishingServer\") OR (src.process.cmdline contains:anycase \"UTF8.GetString\" AND src.process.cmdline contains:anycase (\"New-Object byte[\", \"[byte]('0x\")) OR (src.process.name contains:anycase \"rundll32.exe\" AND src.process.cmdline contains:anycase ('@80\\\\','@443\\\\','@8080\\\\','@8443\\\\')) OR (src.process.name contains:anycase \"finger.exe\" AND src.process.parent.name contains:anycase (\"explorer.exe\",\"cmd.exe\",\"powershell.exe\",\"pwsh.exe\") AND src.process.cmdline contains:anycase \"@\") OR (src.process.name contains:anycase \"nslookup.exe\" AND src.process.parent.name contains:anycase (\"explorer.exe\",\"cmd.exe\",\"powershell.exe\",\"pwsh.exe\") AND src.process.cmdline contains:anycase (\"-q=txt\",\"-type=txt\",\"-qtype=txt\",\"-querytype=txt\")) OR (src.process.name contains:anycase \"wmic.exe\" AND src.process.cmdline contains:anycase \"product call install\" AND src.process.cmdline contains:anycase \"http\")) NOT (tgt.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \",\"get.scoop.sh\",\"win.rustup.rs\",\"install.python-poetry.org\") OR src.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \",\"get.scoop.sh\",\"win.rustup.rs\",\"install.python-poetry.org\"))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, event.dns.request\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, event.dns.request, Count\n\| sort -Count\n\| limit 100000"
`11`	`16`	`},`
`12`	`17`	`{`