Click Fix Social Engineering Attack Detection
Query
// ClickFix social engineering attack detection
// https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
// Threat actors are increasingly using 'ClickFix' social engineering attacks to deploy malware. Proofpoint's latest analysis reveals multiple campaigns since March 2024, targeting popular software like Microsoft Word and Google Chrome. Malware such as AsyncRAT, Danabot, DarkGate, Lumma Stealer, and NetSupport have been identified.
DeviceEvents
| where (ActionType == "GetClipboardData" and InitiatingProcessFileName has "powershell.exe") or
(InitiatingProcessCommandLine has "powershell" and InitiatingProcessCommandLine has "-enc")Explanation
This KQL (Kusto Query Language) query is designed to detect potential "ClickFix" social engineering attacks, which are used by threat actors to deploy malware. The query focuses on identifying suspicious activities related to the use of PowerShell, a common tool used in such attacks. Specifically, it looks for:
- Events where clipboard data is accessed (
GetClipboardData) by a process initiated by "powershell.exe". - Instances where a command line includes "powershell" and uses the "-enc" (encoded command) parameter, which is often used to obfuscate malicious scripts.
The query is part of a broader effort to identify and mitigate threats involving malware like AsyncRAT, Danabot, DarkGate, Lumma Stealer, and NetSupport, which have been associated with these types of attacks.
Details

Steven Lim
Released: November 20, 2024
Tables
DeviceEvents
Keywords
DeviceEvents
Operators
DeviceEvents|where==andhasor