Detectionhighexperimental

Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix

Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Tue Nov 04Updated Wed Nov 263ae9974a-eb09-4044-8e70-8980a50c12c8windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_explorer:
        ParentImage|endswith: '\explorer.exe'
        CommandLine|contains: '#'
    selection_space_variation:
        CommandLine|contains:
            - '            ' # En Quad (U+2000)
            - '            ' # Em Quad (U+2001)
            - '            ' # En Space (U+2002)
            - '            ' # Em Space (U+2003)
            - '            ' # Three-Per-Em Space (U+2004)
            - '            ' # Four-Per-Em Space (U+2005)
            - '            ' # Six-Per-Em Space (U+2006)
            - '            ' # Figure Space (U+2007)
            - '            ' # Punctuation Space (U+2008)
            - '            ' # Thin Space (U+2009)
            - '            ' # Hair Space (U+200A)
            - '            ' # No-Break Space (U+00A0)
            - '            ' # Normal space (0x20)
    condition: all of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0002 · Execution TA0005 · Defense Evasion

Sub-techniques

T1027.010 · Command Obfuscation

Other

attack.t1204.004

Related Rules

SimilarDetectionhigh

Suspicious Space Characters in TypedPaths Registry Path - FileFix

Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionhigh

Suspicious Space Characters in RunMRU Registry Path - ClickFix

Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

3ae9974a-eb09-4044-8e70-8980a50c12c8

Status

experimental

Level

high

Type

Detection

Created

Tue Nov 04

Modified

Wed Nov 26

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_susp_clickfix_filefix_whitespace_padding.yml

Raw Tags

attack.executionattack.t1204.004attack.defense-evasionattack.t1027.010

View on GitHub