While investigating potential exposure to the recently reported EVALUSION ClickFix campaign, which abuses user-interaction-driven execution via the Win + R Run dialog, I focused on identifying suspicious execution patterns aligned with delivery behavior observed in the campaign. This campaign ultimately deploys Amatera Stealer and NetSupport RAT through a .NET-based downloader delivered from public file-sharing platforms.
Kql #1 , Detect suspicious user-initiated execution via the Run dialog (Win + R) where the attacker abuses RunMRU registry key updates to execute payloads such as PowerShell or MSHTA — a core TTP observed in the ClickFix EVALUSION campaign
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey endswith "\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
and (RegistryValueData has "powershell" or RegistryValueData has "mshta")
and RegistryValueData !~ "mrulist"
and (RegistryValueData contains "http" or RegistryValueData contains "base64" or RegistryValueData matches regex @"(?i)\s-e[nc]{0,3}\s")
| project Process_Creation=Timestamp, DeviceName, InitiatingProcessAccountName,RegistryValueData
| join kind=inner (
DeviceProcessEvents
| where FileName contains "mshta.exe" or FileName contains "powershell.exe"
| project ProcessCreated=Timestamp, DeviceName, InitiatingProcessAccountName, FileName , ProcessCommandLine
)on DeviceName, InitiatingProcessAccountName
| where ProcessCreated between ((Process_Creation - timespan(5sec)) .. (Process_Creation + timespan(5sec)))
//| project Process_Creation, ProcessCreated, DeviceName, InitiatingProcessAccountName, FileName ,ProcessCommandLine
Kql #2 – Suspicious mshta.exe Execution
DeviceProcessEvents
| where FileName =~ "mshta.exe"
| where ProcessCommandLine has_any ("http:", "https:", "://")
| project Timestamp, DeviceName, AccountName, InitiatingProcessAccountName,
FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
Kql #3 – Detect potentially malicious PowerShell execution
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where
ProcessCommandLine has_any (
"-enc", "-encode",
"Invoke-WebRequest",
"curl", "DownloadFile",
"System.Net.HttpWebRequest",
"New-Object Net.WebClient",
"http:", "https:","iwr","iex"
)
or ProcessCommandLine matches regex @"(?i)\s-e[nc]{0,3}\s" // Encoded commands
or ProcessCommandLine matches regex @".(From.*Base64)." // Base64 payload decoding
| project Timestamp, DeviceName, AccountName, InitiatingProcessAccountName,
FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
Kql #4 – This detection identifies cases where a file is downloaded from MediaFire—a file-hosting platform frequently abused by threat actors—and correlates it with suspicious PowerShell execution occurring within 10 seconds of the download event.
DeviceFileEvents
| where FileOriginUrl contains "mediafire" or FileOriginReferrerUrl contains "mediafire"
| project T1=Timestamp, DeviceName, FileName, FileOriginUrl, FileOriginReferrerUrl
| join kind=inner (
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where
ProcessCommandLine has_any (
"-enc", "-encode",
"Invoke-WebRequest",
"curl", "DownloadFile",
"New-Object Net.WebClient",
"http:", "https:","iex","iwr"
)
or ProcessCommandLine matches regex @"(?i)\s-e[nc]{0,3}\s"
or ProcessCommandLine matches regex @".(From.*Base64)."
| project T2=Timestamp, DeviceName, ProcessCommandLine,
InitiatingProcessCommandLine, InitiatingProcessFileName
) on DeviceName
| extend timediff = abs(datetime_diff('second', T1, T2))
| where timediff < 10
| project T1, T2, timediff, DeviceName, FileOriginUrl, FileOriginReferrerUrl,
ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFileName
Validate file Downloads
DeviceFileEvents
| where FileOriginUrl contains "mediafire"
Kql #5 – MSBuild-Spawned PowerShell Download Activity ,
This detection focuses on identifying scenarios where msbuild.exe—commonly abused as a Living-off-the-Land binary—is leveraged through process injection to spawn powershell.exe for the purpose of downloading the NetSupport RAT payload.
DeviceProcessEvents
| where InitiatingProcessFileName =~ "msbuild.exe"
| where FileName in~ ("powershell.exe","pwsh.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, AccountName
Top comments (0)