Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
Sigma rule (View on GitHub)
1title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
2id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
3related:
4 - id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
5 type: similar
6 - id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
7 type: similar
8status: experimental
9description: |
10 Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
11 ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
12 The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
13references:
14 - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
15 - https://mrd0x.com/filefix-clickfix-alternative/
16author: Swachchhanda Shrawan Poudel (Nextron Systems)
17date: 2025-11-04
18modified: 2025-11-26
19tags:
20 - attack.execution
21 - attack.t1204.004
22 - attack.defense-evasion
23 - attack.t1027.010
24logsource:
25 category: process_creation
26 product: windows
27detection:
28 selection_explorer:
29 ParentImage|endswith: '\explorer.exe'
30 CommandLine|contains: '#'
31 selection_space_variation:
32 CommandLine|contains:
33 - ' ' # En Quad (U+2000)
34 - ' ' # Em Quad (U+2001)
35 - ' ' # En Space (U+2002)
36 - ' ' # Em Space (U+2003)
37 - ' ' # Three-Per-Em Space (U+2004)
38 - ' ' # Four-Per-Em Space (U+2005)
39 - ' ' # Six-Per-Em Space (U+2006)
40 - ' ' # Figure Space (U+2007)
41 - ' ' # Punctuation Space (U+2008)
42 - ' ' # Thin Space (U+2009)
43 - ' ' # Hair Space (U+200A)
44 - ' ' # No-Break Space (U+00A0)
45 - ' ' # Normal space (0x20)
46 condition: all of selection_*
47falsepositives:
48 - Unknown
49level: high
References
-
We recently observed an innovative campaign using the ClickFix attack tactic for cache smuggling. Here's what you need to know.
Read More -
Presenting an alternate method to the traditional ClickFix attack. Introduction Over the past few weeks, I’ve been working on the upcoming update for the Offensive Phishing Operations Course. The u...
Read More
Related rules
- Suspicious Space Characters in RunMRU Registry Path - ClickFix
- Suspicious Space Characters in TypedPaths Registry Path - FileFix
- Suspicious Usage of For Loop with Recursive Directory Search in CMD
- Obfuscated PowerShell MSI Install via WindowsInstaller COM
- FileFix - Command Evidence in TypedPaths