ClickFix Attack: Windows Terminal Used for Detection Evasion

ClickFix Attack Overview

The ClickFix attack represents an evolving TTP that leverages social engineering and a novel execution vector to bypass traditional security controls. This sophisticated technique preys on user trust, presenting fake CAPTCHA challenges that instruct victims to paste malicious commands directly into Windows Terminal, rather than the more commonly monitored Run dialog. This approach aims to achieve malicious command execution evasion, making detection more challenging for security professionals, according to SecurityWeek.

Unlike direct execution via the Run dialog (Win+R), which often involves spawning cmd.exe or powershell.exe as direct child processes, pasting into Windows Terminal allows the malicious code to be executed within the context of the terminal application itself, potentially altering process lineage and evading some heuristic-based detections that monitor specific parent-child relationships or Run dialog invocations.

Technical Analysis of ClickFix

The core of the ClickFix attack lies in its effective combination of social engineering and execution environment manipulation. The attack flow typically involves:

1. Lure via Fake CAPTCHA: Users are redirected or presented with a seemingly legitimate CAPTCHA page. This page, however, is a decoy designed to trick the user into thinking a common web security verification is required to proceed.
2. Instruction to Use Windows Terminal: Instead of the typical instruction to click a button or type characters, the fake CAPTCHA instructs the user to open Windows Terminal and paste a provided string of commands. This step is crucial as it bypasses common security awareness training that often focuses on avoiding suspicious file downloads or email attachments.
3. Malicious Command Execution: Once pasted and executed, these commands can initiate various payloads, ranging from establishing a C2 channel to download additional malware, performing data exfiltration, or setting the stage for further Lateral Movement and Privilege Escalation within the compromised network. The choice of Windows Terminal provides a relatively new conduit for adversaries to execute code, exploiting a legitimate system utility.

This method aligns with several MITRE ATT&CK techniques, most notably:

• T1566.002 (Phishing: Spearphishing Link): The initial delivery mechanism through a deceptive link or webpage.
• T1204.002 (User Execution: Malicious File): Although not a file, the user is still tricked into executing malicious content.
• T1059 (Command and Scripting Interpreter): The execution of commands via PowerShell or Command Prompt within Windows Terminal.

The potential for this technique to bypass conventional security measures underscores the need for organizations to understand how to approach ClickFix Windows Terminal attack detection through a multi-layered security strategy.

Actionable Recommendations and Mitigations

Defending against attacks like ClickFix requires a combination of robust technical controls and comprehensive security awareness training. Prioritize the following actions to enhance your organization’s resilience:

User Education for Phishing Mitigation Windows Terminal Threats

• Reinforce Social Engineering Awareness: Train users to be suspicious of any unusual requests, especially those that deviate from standard operating procedures (e.g., being asked to open a specific application like Windows Terminal and paste commands). Emphasize that legitimate CAPTCHAs do not require opening system tools or executing code.
• Verify Instructions: Educate users to independently verify any unexpected instructions by contacting IT support through established, known channels before proceeding.

Technical Controls for Detection and Prevention

• Enhanced Endpoint Logging: Configure detailed logging for Windows Terminal activity, including process creation events, command-line arguments, and network connections initiated by terminal processes. Focus on identifying unusual patterns such as a web browser spawning Windows Terminal, or Windows Terminal executing suspicious outbound connections or unrecognized scripts.
• EDR and SIEM Rules: Implement EDR and SIEM rules to flag suspicious activity originating from Windows Terminal, particularly when it’s launched by a browser or when it attempts to download or execute external scripts. Monitor for command-line strings indicative of common attack tools (e.g., Invoke-WebRequest, certutil.exe for download).
• Application Control: Consider strict application control policies that limit which executables can be run and by which users. While completely blocking Windows Terminal might be impractical, preventing unsigned scripts or executables from running through it can significantly reduce risk.
• Network Segmentation and Least Privilege: Apply principles of least privilege to user accounts and segment networks to limit the blast radius if an attacker successfully executes commands. This can restrict an attacker’s ability to conduct Lateral Movement or exfiltrate sensitive data.

By proactively addressing both the human and technical vectors of the ClickFix attack, organizations can significantly reduce their exposure to this evolving threat.