detection.wiki

Detection rules › Sigma

Suspicious FileFix Execution Pattern

Severity
high
Author
0xFustang, Swachchhanda Shrawan Poudel (Nextron Systems)
Source
upstream

Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation. This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms, which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content. The clipboard content usually contains commands that download and execute malware, such as information stealing tools.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1204.004 User Execution: Malicious Copy and Paste

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection_exec_parent

or:
ParentImage|endswith: '\brave.exe'
ParentImage|endswith: '\chrome.exe'
ParentImage|endswith: '\firefox.exe'
ParentImage|endswith: '\msedge.exe'
CommandLine|contains: '#'

Stage 2: 1 of selection_cli_lolbin

or:
CommandLine|contains: '%comspec%'
CommandLine|contains: bitsadmin
CommandLine|contains: certutil
CommandLine|contains: cmd
CommandLine|contains: cscript
CommandLine|contains: curl
CommandLine|contains: finger
CommandLine|contains: mshta
CommandLine|contains: powershell
CommandLine|contains: pwsh
CommandLine|contains: regsvr32
CommandLine|contains: rundll32
CommandLine|contains: schtasks
CommandLine|contains: wget
CommandLine|contains: wscript

Stage 3: 1 of selection_cli_captcha

or:
CommandLine|contains: account
CommandLine|contains: anti-bot
CommandLine|contains: botcheck
CommandLine|contains: captcha
CommandLine|contains: challenge
CommandLine|contains: confirmation
CommandLine|contains: fraud
CommandLine|contains: human
CommandLine|contains: identification
CommandLine|contains: identificator
CommandLine|contains: identity
CommandLine|contains: robot
CommandLine|contains: validation
CommandLine|contains: verification
CommandLine|contains: verify

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • # corpus 3 (sigma 3)
  • %comspec% corpus 3 (sigma 3)
  • account corpus 2 (sigma 2)
  • anti-bot corpus 2 (sigma 2)
  • bitsadmin corpus 5 (sigma 5)
  • botcheck corpus 2 (sigma 2)
  • captcha corpus 2 (sigma 2)
  • certutil corpus 5 (sigma 5)
  • challenge corpus 2 (sigma 2)
  • cmd corpus 5 (sigma 5)
  • confirmation corpus 2 (sigma 2)
  • cscript corpus 12 (sigma 12)
  • curl corpus 3 (sigma 3)
  • finger corpus 2 (sigma 2)
  • fraud corpus 2 (sigma 2)
  • human corpus 2 (sigma 2)
  • identification corpus 2 (sigma 2)
  • identificator corpus 2 (sigma 2)
  • identity corpus 2 (sigma 2)
  • mshta corpus 11 (sigma 11)
  • powershell corpus 16 (sigma 16)
  • pwsh corpus 5 (sigma 5)
  • regsvr32 corpus 11 (sigma 11)
  • robot corpus 2 (sigma 2)
  • rundll32 corpus 19 (sigma 19)
  • schtasks corpus 3 (sigma 3)
  • validation corpus 2 (sigma 2)
  • verification corpus 2 (sigma 2)
  • verify corpus 2 (sigma 2)
  • wget corpus 2 (sigma 2)
  • wscript corpus 12 (sigma 12)
ParentImageends_with
  • \brave.exe corpus 2 (sigma 2)
  • \chrome.exe corpus 4 (sigma 4)
  • \firefox.exe corpus 3 (sigma 3)
  • \msedge.exe corpus 3 (sigma 3)