Detection / DETPublic file

ClickFix Run Dialog Launch of Rundll32 over WebDAV

Detects Windows Run dialog command history that matches Microsoft's observed ClickFix launch pattern for ACR Stealer, including rundll32 execution from a remote WebDAV share and more concealed pushd or conhost headless variants.

Sigma source

Raw YAML
title: ClickFix Run Dialog Launch of Rundll32 over WebDAV
id: 8f9d8f9c-9b9e-4b95-8bb2-8c74aa65c56f
status: stable
author: FRAME ZERO
date: 2026-07-17
description: Detects Windows Run dialog command history that matches Microsoft's observed ClickFix launch pattern for ACR Stealer, including rundll32 execution from a remote WebDAV share and more concealed pushd or conhost headless variants.
references:
  - https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity/
  - https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/
logsource:
  category: registry_event
  product: windows
detection:
  selection_key:
    RegistryKey|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
  selection_common:
    RegistryValueData|contains|all:
      - 'rundll32'
      - '@ssl'
      - ' /c '
  selection_variant_start:
    RegistryValueData|contains: ' start '
  selection_variant_pushd:
    RegistryValueData|contains: 'pushd '
  selection_variant_headless:
    RegistryValueData|contains: 'conhost --headless'
  condition: selection_key and selection_common and 1 of selection_variant_*
falsepositives:
  - Administrators or support personnel manually testing WebDAV access or DLL loading through the Windows Run dialog
  - Security teams reproducing published ClickFix delivery chains in a lab
level: high
tags:
  - attack.execution
  - attack.t1204
  - attack.t1218.011
related_publication: acr-stealer-clickfix-two-delivery-chains
telemetry_assumptions:
  - Endpoint telemetry captures RunMRU registry writes with the complete command string and the initiating user.
  - Analysts can correlate the registry event with nearby process creation and outbound network telemetry for cmd.exe, rundll32.exe, and conhost.exe.

Relationships

Related files