fix: add ClickFix alias evasion detection and rework Storyline ID helper aggregation

LasCC · LasCC · commit f6b07cdaa259 · 2026-03-27T16:00:05.000-04:00
diff --git a/s1_powerquery_hunting.json b/s1_powerquery_hunting.json
@@ -7,7 +7,7 @@
     {
         "category": "Execution & TTPs",
         "name": "Clickfix TTP detected",
-        "query": "((src.process.name contains:anycase (\"powershell.exe\", \"cmd.exe\") and tgt.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \") and tgt.process.cmdline contains:anycase \"http\") OR (src.process.parent.name = \"explorer.exe\" and src.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \",\"irm \") and src.process.cmdline contains:anycase \"http\") OR src.process.cmdline contains:anycase (\"iex(irm\", \"iex(iwr\",\"|iex\", \"| iex\", \").Content\", \"[ScriptBlock]::Create\")) NOT (tgt.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \") OR src.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \"))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, event.dns.request\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, event.dns.request, Count\n| sort -Count\n| limit 100000"
+        "query": "((src.process.name contains:anycase (\"powershell.exe\", \"cmd.exe\") and tgt.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \") and tgt.process.cmdline contains:anycase \"http\") OR (src.process.parent.name = \"explorer.exe\" and src.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \",\"irm \") and src.process.cmdline contains:anycase \"http\") OR src.process.cmdline contains:anycase (\"iex(irm\", \"iex(iwr\",\"|iex\", \"| iex\", \").Content\", \"[ScriptBlock]::Create\", \"gal i?x\", \"gal i*x\", \"gcm i?x\", \"gcm i*x\") OR (src.process.cmdline contains:anycase \"UTF8.GetString\" AND src.process.cmdline contains:anycase (\"New-Object byte[\", \"[byte]('0x\"))) NOT (tgt.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \") OR src.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \"))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, event.dns.request\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, event.dns.request, Count\n| sort -Count\n| limit 100000"
     },
     {
         "category": "Credential Access",
@@ -372,7 +372,7 @@
     {
         "category": "Helper & Utilities",
         "name": "HELPER - Storyline ID Hunting",
-        "query": "#storylineid contains \"STORYLINE_ID_HERE\" \n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by event.type, src.process.storyline.id, src.process.pid, src.process.parent.name, src.process.name, src.process.verified, src.process.cmdline, tgt.file.path, tgt.process.name, tgt.process.cmdline, cmdScript.content, event.dns.request, dst.ip.address, dst.port.number\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, event.type, src.process.storyline.id, src.process.pid, src.process.parent.name, src.process.name, src.process.verified, src.process.cmdline, tgt.file.path, tgt.process.name, tgt.process.cmdline, cmdScript.content, event.dns.request, dst.ip.address, dst.port.number, Count\n| sort -Count\n| limit 100000"
+        "query": "#storylineid contains \"STORYLINE_ID_HERE\" \n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline), UniqueTgtFiles=array_agg_distinct(tgt.file.path), UniqueScripts=array_agg_distinct(cmdScript.content) by event.type, src.process.storyline.id, src.process.pid, src.process.parent.name, src.process.name, src.process.verified, tgt.process.name, event.dns.request, dst.ip.address, dst.port.number\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', '), AllTgtFiles = UniqueTgtFiles.to_string(', '), AllScripts = UniqueScripts.to_string(', ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, event.type, src.process.storyline.id, src.process.pid, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, tgt.process.name, AllTgtCmdlines, AllTgtFiles, AllScripts, event.dns.request, dst.ip.address, dst.port.number, Count\n| sort -Count\n| limit 100000"
     },
     {
         "category": "Helper & Utilities",

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`	`{`
`8`	`8`	`"category": "Execution & TTPs",`
`9`	`9`	`"name": "Clickfix TTP detected",`
`10`		- "query": "((src.process.name contains:anycase (\"powershell.exe\", \"cmd.exe\") and tgt.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \") and tgt.process.cmdline contains:anycase \"http\") OR (src.process.parent.name = \"explorer.exe\" and src.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \",\"irm \") and src.process.cmdline contains:anycase \"http\") OR src.process.cmdline contains:anycase (\"iex(irm\", \"iex(iwr\",\"\|iex\", \"\| iex\", \").Content\", \"[ScriptBlock]::Create\")) NOT (tgt.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \") OR src.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \"))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, event.dns.request\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, event.dns.request, Count\n\| sort -Count\n\| limit 100000"
	`10`	+ "query": "((src.process.name contains:anycase (\"powershell.exe\", \"cmd.exe\") and tgt.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \") and tgt.process.cmdline contains:anycase \"http\") OR (src.process.parent.name = \"explorer.exe\" and src.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \",\"irm \") and src.process.cmdline contains:anycase \"http\") OR src.process.cmdline contains:anycase (\"iex(irm\", \"iex(iwr\",\"\|iex\", \"\| iex\", \").Content\", \"[ScriptBlock]::Create\", \"gal i?x\", \"gal ix\", \"gcm i?x\", \"gcm ix\") OR (src.process.cmdline contains:anycase \"UTF8.GetString\" AND src.process.cmdline contains:anycase (\"New-Object byte[\", \"[byte]('0x\"))) NOT (tgt.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \") OR src.process.cmdline contains (\"chocolatey.org\",\"astral.sh/uv/install.ps1 \"))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, event.dns.request\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, AllTgtCmdlines, event.dns.request, Count\n\| sort -Count\n\| limit 100000"
`11`	`11`	`},`
`12`	`12`	`{`
`13`	`13`	`"category": "Credential Access",`
`@@ -372,7 +372,7 @@`
`372`	`372`	`{`
`373`	`373`	`"category": "Helper & Utilities",`
`374`	`374`	`"name": "HELPER - Storyline ID Hunting",`
`375`		- "query": "#storylineid contains \"STORYLINE_ID_HERE\" \n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by event.type, src.process.storyline.id, src.process.pid, src.process.parent.name, src.process.name, src.process.verified, src.process.cmdline, tgt.file.path, tgt.process.name, tgt.process.cmdline, cmdScript.content, event.dns.request, dst.ip.address, dst.port.number\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, event.type, src.process.storyline.id, src.process.pid, src.process.parent.name, src.process.name, src.process.verified, src.process.cmdline, tgt.file.path, tgt.process.name, tgt.process.cmdline, cmdScript.content, event.dns.request, dst.ip.address, dst.port.number, Count\n\| sort -Count\n\| limit 100000"
	`375`	+ "query": "#storylineid contains \"STORYLINE_ID_HERE\" \n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline), UniqueTgtFiles=array_agg_distinct(tgt.file.path), UniqueScripts=array_agg_distinct(cmdScript.content) by event.type, src.process.storyline.id, src.process.pid, src.process.parent.name, src.process.name, src.process.verified, tgt.process.name, event.dns.request, dst.ip.address, dst.port.number\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', '), AllTgtFiles = UniqueTgtFiles.to_string(', '), AllScripts = UniqueScripts.to_string(', ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, event.type, src.process.storyline.id, src.process.pid, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, tgt.process.name, AllTgtCmdlines, AllTgtFiles, AllScripts, event.dns.request, dst.ip.address, dst.port.number, Count\n\| sort -Count\n\| limit 100000"
`376`	`376`	`},`
`377`	`377`	`{`
`378`	`378`	`"category": "Helper & Utilities",`