ClickFix Run Dialog Launch of Rundll32 over WebDAV
Detects Windows Run dialog command history that matches Microsoft's observed ClickFix launch pattern for ACR Stealer, including rundll32 execution from a remote WebDAV share and more concealed pushd or conhost headless variants.
Sigma source
Raw YAMLtitle: ClickFix Run Dialog Launch of Rundll32 over WebDAV
id: 8f9d8f9c-9b9e-4b95-8bb2-8c74aa65c56f
status: stable
author: FRAME ZERO
date: 2026-07-17
description: Detects Windows Run dialog command history that matches Microsoft's observed ClickFix launch pattern for ACR Stealer, including rundll32 execution from a remote WebDAV share and more concealed pushd or conhost headless variants.
references:
- https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity/
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/
logsource:
category: registry_event
product: windows
detection:
selection_key:
RegistryKey|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
selection_common:
RegistryValueData|contains|all:
- 'rundll32'
- '@ssl'
- ' /c '
selection_variant_start:
RegistryValueData|contains: ' start '
selection_variant_pushd:
RegistryValueData|contains: 'pushd '
selection_variant_headless:
RegistryValueData|contains: 'conhost --headless'
condition: selection_key and selection_common and 1 of selection_variant_*
falsepositives:
- Administrators or support personnel manually testing WebDAV access or DLL loading through the Windows Run dialog
- Security teams reproducing published ClickFix delivery chains in a lab
level: high
tags:
- attack.execution
- attack.t1204
- attack.t1218.011
related_publication: acr-stealer-clickfix-two-delivery-chains
telemetry_assumptions:
- Endpoint telemetry captures RunMRU registry writes with the complete command string and the initiating user.
- Analysts can correlate the registry event with nearby process creation and outbound network telemetry for cmd.exe, rundll32.exe, and conhost.exe.