Techniques
Sample rules
FileFix - Suspicious Child Process from Browser File Upload Abuse
- source: sigma
- technicques:
- t1204
- t1204.004
Description
Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the “FileFix” social engineering technique, where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar. The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.
Detection logic
condition: selection
selection:
CommandLine|contains: '#'
Image|endswith:
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \bitsadmin.exe
- \certutil.exe
- \mshta.exe
ParentImage|endswith:
- \chrome.exe
- \msedge.exe
- \firefox.exe
- \brave.exe