ClickFix is a social engineering technique that emerged in mid-2024 and has become one of the most effective initial access vectors in use as of 2026. The attack model is simple and reliable: a malicious webpage or document presents a fake error or CAPTCHA, instructs the victim to “fix” the problem by pressing Win+R and pasting a command, and delivers a malware-staging payload that the user unwittingly executes themselves. The attacker never needs to exploit a vulnerability. The user is the delivery mechanism.
In May 2026, more than 700 education and technology websites were compromised through CVE-2026-26980 (a Ghost CMS vulnerability) and injected with ClickFix JavaScript that pushed malware to site visitors. Darktrace, Group-IB, and CyberMaxx have all documented ClickFix adoption by ransomware affiliates, information stealers, and nation-state-adjacent groups in 2025-2026 campaigns. The technique is now cross-platform, with macOS and Linux variants documented alongside the dominant Windows attack chain.
This guide covers ClickFix artifacts, detection logic, and Sigma rules for the Windows attack chain.
The ClickFix Execution Chain
The canonical Windows ClickFix chain produces the following process sequence:
- Delivery: Malicious web page (malvertising, compromised site, phishing) or document presents a fake dialog
- Clipboard injection: JavaScript calls
navigator.clipboard.writeText()with the malicious command - User execution: Victim presses Win+R or opens PowerShell and pastes the command
- Initial staging: The pasted command executes a LOLBin (mshta, certutil, curl, bitsadmin) to fetch and run the next stage
- Payload execution: Second-stage payload (Lumma Stealer, AsyncRAT, XWorm, etc.) is downloaded and executed
The distinguishing characteristic is the process ancestry: the malicious command spawns from explorer.exe (Run dialog) or a user-initiated PowerShell session, meaning there is no suspicious parent process. Traditional parent-child relationship rules miss this entirely.
Key Detection Surfaces
Run Dialog → LOLBin Execution
When a victim uses the Win+R dialog to execute a pasted command, the resulting process has explorer.exe as its parent. Look for LOLBins spawning from explorer.exe with command lines that include network activity:
Sigma Rule — LOLBin Network Staging via Run Dialog:
title: Suspicious LOLBin Network Download via Run Dialog (ClickFix Pattern)
id: a1c9f3e2-44b2-4d1f-8c3e-7f92d3a4b210
status: experimental
description: Detects LOLBins executing network-fetch commands from explorer.exe parent, consistent with ClickFix clipboard execution via Win+R dialog
author: SOC Analyst Hub
date: 2026-06-30
tags:
- attack.execution
- attack.t1059.001
- attack.t1204.002
- attack.t1566
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
selection_lolbin:
Image|endswith:
- '\mshta.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\regsvr32.exe'
selection_network_indicators:
CommandLine|contains:
- 'http'
- 'ftp'
- 'WebClient'
- '-urlcache'
- '-Transfer'
- 'Start-BitsTransfer'
condition: selection_parent and selection_lolbin and selection_network_indicators
falsepositives:
- Legitimate administrative scripts run via Run dialog (rare)
- Software update utilities (validate against software inventory)
level: high
PowerShell Encoded Command from Interactive Session
ClickFix commands frequently use Base64-encoded PowerShell to evade simple string matching. The key distinguishing feature is an encoded PowerShell command launching from an interactive session (no parent beyond explorer.exe or the shell itself) with an unusually short execution time before network activity:
title: Encoded PowerShell Execution with Immediate Network Activity (ClickFix)
id: b2d8e4f1-55c3-4e2a-9d4f-8a03c5b6e321
status: experimental
description: Detects encoded PowerShell commands that immediately establish network connections, consistent with ClickFix staging payloads pasted into PowerShell terminal
author: SOC Analyst Hub
date: 2026-06-30
tags:
- attack.execution
- attack.t1059.001
- attack.t1140
logsource:
category: process_creation
product: windows
detection:
selection_ps_encoded:
Image|endswith: '\powershell.exe'
CommandLine|contains|all:
- '-EncodedCommand'
- '-NonInteractive'
selection_parent_interactive:
ParentImage|endswith:
- '\explorer.exe'
- '\powershell.exe'
- '\cmd.exe'
filter_legitimate:
CommandLine|contains:
- 'WindowsPowerShell\Scripts'
- 'C:\Program Files'
condition: selection_ps_encoded and selection_parent_interactive and not filter_legitimate
falsepositives:
- Legitimate encoded PowerShell run from desktop shortcuts or admin tasks
- Configuration management tools (SCCM, Ansible WinRM)
level: medium
SyncAppvPublishingServer LOLBin Abuse
One ClickFix variant uses SyncAppvPublishingServer.vbs, a legitimate Windows App-V utility, to execute PowerShell without spawning powershell.exe directly — bypassing process-name-based detection:
title: SyncAppvPublishingServer VBS Abuse for PowerShell Execution (ClickFix)
id: c3e9f5a2-66d4-4f3b-ae5f-9b14d6c7f432
status: experimental
description: Detects SyncAppvPublishingServer.vbs used to execute PowerShell commands, a ClickFix evasion technique to avoid direct powershell.exe detection
author: SOC Analyst Hub
date: 2026-06-30
tags:
- attack.execution
- attack.defense_evasion
- attack.t1059.005
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
CommandLine|contains: 'SyncAppvPublishingServer'
condition: selection
falsepositives:
- Legitimate App-V publishing workflows in App-V environments (rare in most enterprises)
level: high
KQL for Microsoft Sentinel
// ClickFix: LOLBin network execution from explorer.exe parent
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ParentProcessName =~ "explorer.exe"
| where FileName in~ ("mshta.exe", "certutil.exe", "bitsadmin.exe", "wscript.exe", "cscript.exe", "regsvr32.exe")
| where ProcessCommandLine has_any ("http", "ftp", "-urlcache", "WebClient", "Transfer")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, ParentProcessName, ParentProcessId
| order by Timestamp desc
// ClickFix: Encoded PowerShell from interactive parent
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "-EncodedCommand"
| where ParentProcessName in~ ("explorer.exe", "cmd.exe", "powershell.exe")
| where not(ProcessCommandLine has_any ("C:\\Program Files", "WindowsPowerShell\\Scripts", "SCCM"))
| extend DecodedHint = base64_decode_tostring(extract(@"-EncodedCommand\s+([A-Za-z0-9+/=]+)", 1, ProcessCommandLine))
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, DecodedHint, ParentProcessName
| order by Timestamp desc
// ClickFix: SyncAppvPublishingServer abuse
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe")
| where ProcessCommandLine has "SyncAppvPublishingServer"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, ParentProcessName
Threat Hunting Queries
Hunt for Clipboard-Related PowerShell Activity
Look for PowerShell commands that access clipboard content programmatically, which may indicate a ClickFix page attempting to auto-execute rather than waiting for manual paste:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Get-Clipboard", "System.Windows.Forms.Clipboard", "Windows.ApplicationModel.DataTransfer")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
Hunt for certutil Download Cradles
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-urlcache", "-decode", "-encode")
| where ProcessCommandLine has_any ("http://", "https://", "ftp://")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, ParentProcessName
| order by Timestamp desc
Behavioral Indicators and Context
ClickFix detections benefit from enrichment with web proxy and browser history data. Key correlating signals:
- Browser session on an unexpected site within 60 seconds of the Run dialog execution
- First-time parent-child relationship between explorer.exe and a LOLBin on that endpoint
- Network connection to a newly registered domain (<30 days) within 30 seconds of execution
- The user account has no prior history of running encoded PowerShell
Mitigations
Detection-adjacent controls that reduce ClickFix attack surface without relying entirely on detection:
- Enable PowerShell Constrained Language Mode via AppLocker or WDAC — prevents many ClickFix staging payloads from executing even if the user pastes the command
- Block Win+R dialog access via Group Policy for standard users where operationally feasible
- Deploy Script Block Logging (Event ID 4104) to capture decoded PowerShell content
- Enable AMSI integration in your EDR — ClickFix payloads increasingly attempt AMSI bypass, which itself is a high-fidelity detection signal
- Web content filtering to block known ClickFix delivery infrastructure (malvertising networks, fake CAPTCHA domains)
ClickFix succeeds because it bypasses technical controls by routing execution through the user. The detection strategy must account for the absence of a suspicious parent process and focus instead on the behaviour pattern: LOLBin execution with immediate network activity, interactive session context, and absence of a legitimate administrative context.