Notes from SANS Stay Ahead of Ransomware Livestream April 2026 episode :)
- Suggestion: Trim & strip escape characters
- Suggest trimming + stripping escape characters and other DOSfuscation-type characters to maximize your string-based queries and avoid falling for escape character pitfalls
- Use
trimorltrim|rtrimdepending on your E/XDR
| make_a_new_field_for_me registry_data = replace(registry_data, "\"", "")
| make_a_new_field_for_me registry_data = replace(registry_data, "^", "")
| make_a_new_field_for_me registry_data = replace(registry_data, "'", "")
| make_a_new_field_for_me registry_data = replace(registry_data, "+", "")
- Combine your ClickFix & FileFix hunting by looking not only at
RunMRUkey, but also atTypedPaths- FileFix attacks may have uses put command into the Explorer.exe address bar, which may be logged in
TypedPathsin the Windows Registry
- FileFix attacks may have uses put command into the Explorer.exe address bar, which may be logged in
| filter (lowercase(action_registry_key_name) contains "software\microsoft\windows\currentversion\explorer\runmru"
and lowercase(action_registry_value_name) not in (null,"mrulist"))
or lowercase(action_registry_key_name) contains "software\microsoft\windows\currentversion\explorer\typedpaths"
- Doesn't hit all FileFix options, but adding
TypedPathsis an easy win for your current CF hunts
- Focus on the most common processes associated with RunMRU activity:
- Ryan's list:
(%comspec%|bash|bitsadmin|certutil|cmd|conhost|curl|echo|mshta|msiexec|powershell|pwsh|regsvr32|rundll32|wscript) - For a solid Sigma rule, see https://for528.com/clickfix-sigma
- Ryan's list:
ClickFix mitigation to disable Win+R:
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v DisabledHotkeys /t REG_SZ /d R /f