KQL Search

Query Details

HomeAI ToolsDevice Query

Obfuscated Click Fix Powershell Command

Query

# *Obfuscated ClickFix Powershell Command*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ |

#### Description
This rule detects instances where 'powershell.exe', 'pwsh.exe', or 'conhost.exe' are launched by 'explorer.exe' with a command line containing an unusual number of spaces or tabs. This pattern can indicate obfuscation attempts often used by adversaries to hide malicious commands or scripts.

#### Risk
ClickFix Attack Detection

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/


## Defender XDR
```KQL
DeviceProcessEvents
| where InitiatingProcessFileName =~ "explorer.exe" 
| where FileName in~ ( "powershell.exe", "pwsh.exe", "conhost.exe")
| where ProcessCommandLine matches regex @'(\s{5,}|\t{2,})'
| project Timestamp,DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName, ReportId
```

Explanation

This query is designed to detect potentially suspicious activity on a device by identifying instances where certain command-line tools are executed in an unusual manner. Here's a simplified breakdown:

  1. Purpose: The query looks for cases where the Windows file explorer (explorer.exe) starts specific command-line tools (powershell.exe, pwsh.exe, or conhost.exe) with a command line that contains an unusually high number of spaces or tabs. This pattern can suggest that someone is trying to hide or obfuscate malicious commands.

  2. Technique: It relates to a known cybersecurity technique (MITRE ATT&CK Technique T1059.001) where adversaries use command and scripting interpreters like PowerShell to execute malicious scripts.

  3. How It Works:

    • It filters events where the initiating process is explorer.exe.
    • It checks if the executed file is one of the specified command-line tools.
    • It uses a regular expression to find command lines with five or more consecutive spaces or two or more consecutive tabs, which can indicate obfuscation.

  4. Output: The query returns details such as the timestamp, device ID, device name, the command line used, and the account name associated with the process. This information can help security analysts investigate and respond to potential threats.

  5. Risk: This detection is part of identifying a "ClickFix Attack," which is a type of security threat.

Overall, this query helps in identifying suspicious command executions that might be attempts to hide malicious activities on a device.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 16, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampDeviceIdDeviceNameInitiatingProcessFileNameInitiatingProcessCommandLineFileNameProcessCommandLineAccountNameReportId

Operators

=~in~matches regexprojectwhere

Actions