LoFP LoFP / legitimate use of powershell or other utilities launched from browser extensions or automation tools

Techniques

Sample rules

FileFix - Suspicious Child Process from Browser File Upload Abuse

Description

Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the “FileFix” social engineering technique, where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar. The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.

Detection logic

condition: selection
selection:
  CommandLine|contains: '#'
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \regsvr32.exe
  - \bitsadmin.exe
  - \certutil.exe
  - \mshta.exe
  ParentImage|endswith:
  - \chrome.exe
  - \msedge.exe
  - \firefox.exe
  - \brave.exe