Techniques
Sample rules
Suspicious FileFix Execution Pattern
- source: sigma
- technicques:
- t1204
- t1204.004
Description
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation. This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms, which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content. The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
Detection logic
condition: selection_exec_parent and 1 of selection_cli_*
selection_cli_captcha:
CommandLine|contains:
- account
- anti-bot
- botcheck
- captcha
- challenge
- confirmation
- fraud
- human
- identification
- identificator
- identity
- robot
- validation
- verification
- verify
selection_cli_lolbin:
CommandLine|contains:
- '%comspec%'
- bitsadmin
- certutil
- cmd
- cscript
- curl
- finger
- mshta
- powershell
- pwsh
- regsvr32
- rundll32
- schtasks
- wget
- wscript
selection_exec_parent:
CommandLine|contains: '#'
ParentImage|endswith:
- \brave.exe
- \chrome.exe
- \firefox.exe
- \msedge.exe