Detectionhighexperimental

Suspicious ClickFix/FileFix Execution Pattern

Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix). Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

montysecurity, Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Nov 19d487ed4a-fd24-436d-a0b2-f4e95f7b2635windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
        CommandLine|contains: '#'
    selection_cli_captcha:
        CommandLine|contains:
            - 'account'
            - 'anti-bot'
            - 'botcheck'
            - 'captcha'
            - 'challenge'
            - 'confirmation'
            - 'fraud'
            - 'human'
            - 'identification'
            - 'identificator'
            - 'identity'
            - 'robot'
            - 'validation'
            - 'verification'
            - 'verify'
    condition: all of selection_*

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1204.001 · Malicious Link

Other

attack.t1204.004

Related Rules

SimilarDetectionhigh

Potential ClickFix Execution Pattern - Registry

Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, such as one-liners that execute remotely hosted malicious files or scripts.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

d487ed4a-fd24-436d-a0b2-f4e95f7b2635

Status

experimental

Level

high

Type

Detection

Created

Wed Nov 19

Author

montysecurity, Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_susp_clickfix_filefix_execution.yml

Raw Tags

attack.executionattack.t1204.001attack.t1204.004

View on GitHub