@securityaura.bsky.social
GCIH, GCFE | DFIR, Threat Hunting, Detection Engineering | @CuratedIntel DFIR Member
SecurityAura.com
http://infosec.exchange/@SecurityAura
SecurityAura.com
http://infosec.exchange/@SecurityAura
#100DaysOfKQL
Day 40 - ClickFix - PowerShell Command Launched via Windows Run Box
A campaign/social engineering specific query for ClickFix using our knowledge of Windows Registry forensics!
Ah, Defender also picks it up anyway!😂
github.com/SecurityAura...
Day 40 - ClickFix - PowerShell Command Launched via Windows Run Box
A campaign/social engineering specific query for ClickFix using our knowledge of Windows Registry forensics!
Ah, Defender also picks it up anyway!😂
github.com/SecurityAura...
February 10, 2025 at 1:20 AM
#100DaysOfKQL
Day 40 - ClickFix - PowerShell Command Launched via Windows Run Box
A campaign/social engineering specific query for ClickFix using our knowledge of Windows Registry forensics!
Ah, Defender also picks it up anyway!😂
github.com/SecurityAura...
Day 40 - ClickFix - PowerShell Command Launched via Windows Run Box
A campaign/social engineering specific query for ClickFix using our knowledge of Windows Registry forensics!
Ah, Defender also picks it up anyway!😂
github.com/SecurityAura...
Confirmed with NetExec 1.3.0 and Impacket 0.12.0.dev1 that the new path is indeed:
C\:\\Windows\\Temp\\[a-zA-Z0-9]{8}.tmp
Good news? Detected by Microsoft Defender by default:
And another detection: Behavior:Win32/RegDump.SA.
C\:\\Windows\\Temp\\[a-zA-Z0-9]{8}.tmp
Good news? Detected by Microsoft Defender by default:
And another detection: Behavior:Win32/RegDump.SA.
January 21, 2025 at 3:07 AM
Confirmed with NetExec 1.3.0 and Impacket 0.12.0.dev1 that the new path is indeed:
C\:\\Windows\\Temp\\[a-zA-Z0-9]{8}.tmp
Good news? Detected by Microsoft Defender by default:
And another detection: Behavior:Win32/RegDump.SA.
C\:\\Windows\\Temp\\[a-zA-Z0-9]{8}.tmp
Good news? Detected by Microsoft Defender by default:
And another detection: Behavior:Win32/RegDump.SA.