diff --git a/DefenderXDR/ClickFix Defense Evasion b/DefenderXDR/ClickFix Defense Evasion
new file mode 100644
index 0000000..21d35ed
--- /dev/null
+++ b/DefenderXDR/ClickFix Defense Evasion	
@@ -0,0 +1,6 @@
+//ClickFix Defense Evasion Checking for the use of 'SetClipboard -value " "'
+
+DeviceProcessEvents
+| Where ProcessCommandLine has_all ("set-clipboard", "-value")
+| where ProcessCommandLine has_any ('" "', "' '")
+| project AccountName, ProccessCommandLine
diff --git a/DefenderXDR/ClickFix Defense Evasion (DeviceEvents)) b/DefenderXDR/ClickFix Defense Evasion (DeviceEvents))
new file mode 100644
index 0000000..c659c9a
--- /dev/null
+++ b/DefenderXDR/ClickFix Defense Evasion (DeviceEvents))	
@@ -0,0 +1,8 @@
+// An alternate and slightly more succesful way of catching even obfuscated clipboard clearing. This technique is used for defense evasion with clickfix attacks.
+// This detection can be ran in Defender NRT for quick response.
+
+DeviceEvents
+| extend Command =  tolower(parse_json(AdditionalFields)["Command"])
+| where Command has_all ("set-clipboard", "-value")
+| where Command has_any ("' '", '" "')
+| project Timestamp, InitiatingProcessAccountName, parse_json(AdditionalFields)["Command"], DeviceId, ReportId