From 93417f0548a4100637e0351d56e51381c58ac75a Mon Sep 17 00:00:00 2001
From: eatinsundip <43767555+eatinsundip@users.noreply.github.com>
Date: Fri, 1 Aug 2025 10:10:07 -0500
Subject: [PATCH 1/2] Create ClickFix Defense Evasion

---
 DefenderXDR/ClickFix Defense Evasion | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 DefenderXDR/ClickFix Defense Evasion

diff --git a/DefenderXDR/ClickFix Defense Evasion b/DefenderXDR/ClickFix Defense Evasion
new file mode 100644
index 0000000..21d35ed
--- /dev/null
+++ b/DefenderXDR/ClickFix Defense Evasion	
@@ -0,0 +1,6 @@
+//ClickFix Defense Evasion Checking for the use of 'SetClipboard -value " "'
+
+DeviceProcessEvents
+| Where ProcessCommandLine has_all ("set-clipboard", "-value")
+| where ProcessCommandLine has_any ('" "', "' '")
+| project AccountName, ProccessCommandLine

From c6f113e11b5f7355a19c11adb0cb9977c9b94679 Mon Sep 17 00:00:00 2001
From: eatinsundip <43767555+eatinsundip@users.noreply.github.com>
Date: Wed, 13 Aug 2025 14:36:30 -0500
Subject: [PATCH 2/2] Create ClickFix Defense Evasion (DeviceEvents))

---
 DefenderXDR/ClickFix Defense Evasion (DeviceEvents)) | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 DefenderXDR/ClickFix Defense Evasion (DeviceEvents))

diff --git a/DefenderXDR/ClickFix Defense Evasion (DeviceEvents)) b/DefenderXDR/ClickFix Defense Evasion (DeviceEvents))
new file mode 100644
index 0000000..c659c9a
--- /dev/null
+++ b/DefenderXDR/ClickFix Defense Evasion (DeviceEvents))	
@@ -0,0 +1,8 @@
+// An alternate and slightly more succesful way of catching even obfuscated clipboard clearing. This technique is used for defense evasion with clickfix attacks.
+// This detection can be ran in Defender NRT for quick response.
+
+DeviceEvents
+| extend Command =  tolower(parse_json(AdditionalFields)["Command"])
+| where Command has_all ("set-clipboard", "-value")
+| where Command has_any ("' '", '" "')
+| project Timestamp, InitiatingProcessAccountName, parse_json(AdditionalFields)["Command"], DeviceId, ReportId