Quick Answer
A ClickFix attack is a social engineering technique where attackers trick users into manually executing malicious commands through the Windows Run dialog (Win+R). These commands typically leverage trusted Windows tools such as PowerShell, mshta.exe, or cmd.exe (known as LOLBins) to download malware, run scripts, or communicate with attacker-controlled infrastructure all while appearing as normal user activity.
What Is Happening?
Threat actors are increasingly abusing the Windows Run dialog (RunMRU registry key) as a method of user-assisted initial access. By leveraging social engineering techniques such as fake troubleshooting prompts or malicious websites, attackers trick users into manually executing commands.
This technique allows adversaries to bypass traditional security controls, as it looks like the activity originates from legitimate user actions rather than automated malicious processes.
How Does This Attack Work?
The RunMRU registry key records commands entered through the Windows Run dialog (Win+R) stores commands manually entered by users. This indicates that the activity is user-initiated, often influenced by social engineering techniques.
Attackers exploit this behavior by:
- Delivering instructions via phishing emails, browser pop-ups, or fake alerts convincing users to copy and execute commands directly in the Run dialog using system tools (LOLBins) such as: Powershell.exe, mshta.exe, cmd.exe
Once executed, the commands can download malicious content, run scripts, or establish communication with attacker-controlled systems
In many cases, the activity may be fileless or memory-based, making detection more difficult.
What Did ProArch SOC Observe?
During recent investigations, the ProArch SOC identified several consistent patterns:
- RunMRU activity consistently indicates user-driven execution events
- Observed patterns align with ClickFix and social engineering campaigns
- Commands often involve:
- Encoded or obfuscated scripts
- LOLBins (trusted system tools) usage to evade detection
What Actions Did the SOC Take?
- Isolated the impacted device to prevent any potential spread of malicious activity
- Conducted endpoint investigation to identify any signs of payload execution or persistence mechanisms
- Blocked associated suspicious domains and files identified during analysis
- Cleared temporary files, browsing history, cookies, and saved browser sessions to remove any residual artifacts
- Performed password reset for the affected user account as a precautionary measure
How Did ProArch SOC Limit the Impact?
- Early detection and timely SOC intervention helped prevent any lateral movement within the environment
- No evidence of data exfiltration was observed during the investigation
Why Does This Matter?
- The activity appears as normal user behavior, making it difficult to detect through traditional security controls
- Relies on user interaction, which increases the likelihood of successful attacks
- Can enable attackers to gain initial access to systems without exploiting technical vulnerabilities
- May execute using trusted system tools, reducing chances of immediate detection
- Allows attackers to perform further actions such as downloading malicious content or establishing communication with attacker-controlled systems
- This technique is especially risky because it targets user behavior rather than system weaknesses, making awareness and vigilance critical
What Should Organizations Do?
- Security Controls: Monitor RunMRU registry activity across endpoints
- Implement detection for:
- Suspicious command-line executions
- Encoded PowerShell or scripting activity
- Enable enhanced monitoring of trusted system tool (PowerShell, mshta,cmd.exe)
- Strengthen endpoint detection and response (EDR) policies for script-based attacks
- Instruct users never to execute commands from unknown or untrusted sources (websites, emails, pop-ups)
- User Awareness & Training: Educate users on social engineering and ClickFix techniques
How Can ProArch Help?
ProArch helps organizations detect and respond to social engineering attacks that use trusted tools and user-driven execution.
Through SOC monitoring and managed detection and response services, ProArch can help:
- Monitor endpoint, identity, email, and cloud activity
- Detect suspicious command-line and script execution
- Investigate user-driven activity that may indicate social engineering
- Contain affected endpoints quickly
- Block malicious domains, files, and scripts
- Strengthen security controls and user awareness programs
- Reduce the risk of lateral movement, credential misuse, and data loss
Get in touch with ProArch to strengthen your SOC monitoring, improve detection of user-driven attacks, and respond faster to emerging threats.