Skip to content

Hide Navigation Hide TOC

Suspicious ClickFix/FileFix Execution Pattern (d487ed4a-fd24-436d-a0b2-f4e95f7b2635)

Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix). Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious ClickFix/FileFix Execution Pattern (d487ed4a-fd24-436d-a0b2-f4e95f7b2635) Sigma-Rules Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 1
Suspicious ClickFix/FileFix Execution Pattern (d487ed4a-fd24-436d-a0b2-f4e95f7b2635) Sigma-Rules Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern 1
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern 2