Detection rules › Sigma
Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.004 User Execution: Malicious Copy and Paste |
| Stealth | T1027.010 Obfuscated Files or Information: Command Obfuscation |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
related:
- id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
type: similar
- id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
type: similar
status: experimental
description: |
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
references:
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
- https://mrd0x.com/filefix-clickfix-alternative/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-04
modified: 2025-11-26
tags:
- attack.execution
- attack.stealth
- attack.t1204.004
- attack.t1027.010
logsource:
category: process_creation
product: windows
detection:
selection_explorer:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains: '#'
selection_space_variation:
CommandLine|contains:
- ' ' # En Quad (U+2000)
- ' ' # Em Quad (U+2001)
- ' ' # En Space (U+2002)
- ' ' # Em Space (U+2003)
- ' ' # Three-Per-Em Space (U+2004)
- ' ' # Four-Per-Em Space (U+2005)
- ' ' # Six-Per-Em Space (U+2006)
- ' ' # Figure Space (U+2007)
- ' ' # Punctuation Space (U+2008)
- ' ' # Thin Space (U+2009)
- ' ' # Hair Space (U+200A)
- ' ' # No-Break Space (U+00A0)
- ' ' # Normal space (0x20)
condition: all of selection_*
falsepositives:
- Unknown
level: high
Stages and Predicates
Stage 0: condition
all of selection_*Stage 1: selection_explorer
selection_explorer:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains: '#'
Stage 2: selection_space_variation
selection_space_variation:
CommandLine|contains:
- ' '
- ' '
- ' '
- ' '
- ' '
- ' '
- ' '
- ' '
- ' '
- ' '
- ' '
- ' '
- ' '
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
ParentImage | ends_with |
|