Suspicious FileFix Execution Pattern

Original Source: [Sigma source]

Title: Suspicious FileFix Execution Pattern
Status: experimental
Description:Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation. This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms, which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content. The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
References:
-https://mrd0x.com/filefix-clickfix-alternative/
-https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
-https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/
Author: 0xFustang, Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2025-11-24
modified:None
Tags:

-'attack.execution'
-'attack.t1204.004'

Logsource:

category: process_creation
product: windows

Detection:
selection_exec_parent:
ParentImage|endswith:
-'\brave.exe'
-'\chrome.exe'
-'\firefox.exe'
-'\msedge.exe'

CommandLine|contains: '#'
selection_cli_lolbin:
CommandLine|contains:
-'%comspec%'
-'bitsadmin'
-'certutil'
-'cmd'
-'cscript'
-'curl'
-'finger'
-'mshta'
-'powershell'
-'pwsh'
-'regsvr32'
-'rundll32'
-'schtasks'
-'wget'
-'wscript'

selection_cli_captcha:
CommandLine|contains:
-'account'
-'anti-bot'
-'botcheck'
-'captcha'
-'challenge'
-'confirmation'
-'fraud'
-'human'
-'identification'
-'identificator'
-'identity'
-'robot'
-'validation'
-'verification'
-'verify'

condition:selection_exec_parent and 1 of selection_cli_*
Falsepositives:
-Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools
Level: high

Sign Up to Personalize and Manage Your Detection

Suspicious FileFix Execution Pattern