Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
Sigma rule (View on GitHub)
1title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
2id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
3related:
4 - id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
5 type: similar
6 - id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
7 type: similar
8status: experimental
9description: |
10 Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
11 ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
12 The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
13references:
14 - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
15 - https://mrd0x.com/filefix-clickfix-alternative/
16author: Swachchhanda Shrawan Poudel (Nextron Systems)
17date: 2025-11-04
18tags:
19 - attack.execution
20 - attack.t1204.004
21 - attack.defense-evasion
22 - attack.t1027.010
23logsource:
24 category: process_creation
25 product: windows
26detection:
27 selection_explorer:
28 Image|endswith: '\explorer.exe'
29 CommandLine|contains: '#'
30 selection_space_variation:
31 CommandLine|contains:
32 - ' ' # En Quad (U+2000)
33 - ' ' # Em Quad (U+2001)
34 - ' ' # En Space (U+2002)
35 - ' ' # Em Space (U+2003)
36 - ' ' # Three-Per-Em Space (U+2004)
37 - ' ' # Four-Per-Em Space (U+2005)
38 - ' ' # Six-Per-Em Space (U+2006)
39 - ' ' # Figure Space (U+2007)
40 - ' ' # Punctuation Space (U+2008)
41 - ' ' # Thin Space (U+2009)
42 - ' ' # Hair Space (U+200A)
43 - ' ' # No-Break Space (U+00A0)
44 - ' ' # Normal space (0x20)
45 condition: all of selection_*
46falsepositives:
47 - Unknown
48level: high
References
-
We recently observed an innovative campaign using the ClickFix attack tactic for cache smuggling. Here's what you need to know.
Read More -
Presenting an alternate method to the traditional ClickFix attack. Introduction Over the past few weeks, I’ve been working on the upcoming update for the Offensive Phishing Operations Course. The u...
Read More
Related rules
- Suspicious Space Characters in RunMRU Registry Path - ClickFix
- Suspicious Space Characters in TypedPaths Registry Path - FileFix
- Obfuscated PowerShell MSI Install via WindowsInstaller COM
- Turla Group Commands May 2020
- Kaspersky Endpoint Security Stopped Via CommandLine - Linux