Detection rules › Sigma
Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.004 User Execution: Malicious Copy and Paste |
| Defense Evasion | T1027.010 Obfuscated Files or Information: Command Obfuscation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: all of selection_explorer
CommandLine|contains: '#'
ParentImage|endswith: '\explorer.exe'
Stage 2: all of selection_space_variation
or:
CommandLine|contains: ' '
CommandLine|contains: ' '
CommandLine|contains: ' '
CommandLine|contains: ' '
CommandLine|contains: ' '
CommandLine|contains: ' '
CommandLine|contains: ' '
CommandLine|contains: ' '
CommandLine|contains: ' '
CommandLine|contains: ' '
CommandLine|contains: ' '
CommandLine|contains: ' '
CommandLine|contains: ' '
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
ParentImage | ends_with |
|