FileFix - Suspicious Child Process from Browser File Upload Abuse

Title: FileFix - Suspicious Child Process from Browser File Upload Abuse
Status: experimental
Description:Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique, where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar. The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.
References:
  -https://mrd0x.com/filefix-clickfix-alternative/
Author: 0xFustang
Date: 2025-06-26
modified:2025-06-30
Tags:

• -'attack.execution'
• -'attack.t1204.004'

Logsource:

• category: process_creation
• product: windows

Detection:
  selection:
    ParentImage|endswith:
      -'\brave.exe'
      -'\chrome.exe'
      -'\firefox.exe'
      -'\msedge.exe'

    Image|endswith:
      -'\bitsadmin.exe'
      -'\certutil.exe'
      -'\cmd.exe'
      -'\mshta.exe'
      -'\powershell.exe'
      -'\pwsh.exe'
      -'\regsvr32.exe'

    CommandLine|contains: '#'
  condition:selection
Falsepositives:
  -Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools
Level: high