Skip to content

Hide Navigation Hide TOC

Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix (3ae9974a-eb09-4044-8e70-8980a50c12c8)

Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.

Cluster A Galaxy A Cluster B Galaxy B Level
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix (3ae9974a-eb09-4044-8e70-8980a50c12c8) Sigma-Rules 1
Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix (3ae9974a-eb09-4044-8e70-8980a50c12c8) Sigma-Rules Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern 1
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2