Skip to content

Create ClickFix Defense Evasion #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
eatinsundip wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Create ClickFix Defense Evasion #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
93417f0
Create ClickFix Defense Evasion
eatinsundip Aug 1, 2025
ccabe0b
Merge branch 'SlimKQL:main' into main
eatinsundip Aug 13, 2025
c6f113e
Create ClickFix Defense Evasion (DeviceEvents))
eatinsundip Aug 13, 2025
e754f64
Merge branch 'SlimKQL:main' into main
eatinsundip Dec 3, 2025
60d5c94
Add KQL script for detecting 7-Zip suspicious processes
eatinsundip Dec 3, 2025
cbc8c23
Merge pull request #2 from eatinsundip/eatinsundip-patch-1-1
eatinsundip Dec 3, 2025
53fe98f
Refactor KQL to use DeviceProcessEvents
eatinsundip Dec 3, 2025
0938796
Add KQL query for 7-Zip arbitrary file write detection
eatinsundip Dec 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions DefenderXDR/7-Zip Arbritrary File Write to Sensitive Location.kql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
// contact@ccaves.net for questions or contact
// 7-Zip Arbritrary File Write to Sensitive Location

DeviceFileEvents
| where InitiatingProcessFileName has_any (@"7z.exe", @"7zG.exe", @"7zFM.exe")
| where FileName endswith ".exe"
or FileName endswith ".dll"
or FileName endswith ".bat"
or FileName endswith ".cmd"
or FileName endswith ".ps1"
or FileName endswith ".vbs"
or FileName endswith ".iso"
| where FolderPath has_any (@"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\", @"\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\", @"\Windows\System32\", @"\Windows\SysWOW64\", @"\Windows\Tasks\", @"\Windows\Temp\")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, InitiatingProcessCommandLine, DeviceId, ReportId
8 changes: 8 additions & 0 deletions DefenderXDR/7-Zip Spawning Suspicious Child Process.kql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
// contact@ccaves.net for questions or contact
//7-Zip Spawning Suspicious Child Process

DeviceProcessEvents
| where InitiatingProcessCommandLine has_any (@"\7z.exe", @"\7zG.exe", @"\7zFM.exe")
or InitiatingProcessParentFileName has_any (@"\7z.exe", @"\7zG.exe", @"\7zFM.exe")
| where FileName has_any ("cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "bash.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, ReportId
6 changes: 6 additions & 0 deletions DefenderXDR/ClickFix Defense Evasion
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
//ClickFix Defense Evasion Checking for the use of 'SetClipboard -value " "'

DeviceProcessEvents
| Where ProcessCommandLine has_all ("set-clipboard", "-value")
| where ProcessCommandLine has_any ('" "', "' '")
| project AccountName, ProccessCommandLine
8 changes: 8 additions & 0 deletions DefenderXDR/ClickFix Defense Evasion (DeviceEvents))
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
// An alternate and slightly more succesful way of catching even obfuscated clipboard clearing. This technique is used for defense evasion with clickfix attacks.
// This detection can be ran in Defender NRT for quick response.

DeviceEvents
| extend Command = tolower(parse_json(AdditionalFields)["Command"])
| where Command has_all ("set-clipboard", "-value")
| where Command has_any ("' '", '" "')
| project Timestamp, InitiatingProcessAccountName, parse_json(AdditionalFields)["Command"], DeviceId, ReportId