Potential Fake CAPTCHA Phishing Attack

  1[metadata]
  2creation_date = "2025/08/19"
  3integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/08/19"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies potential fake CAPTCHA phishing attack based on PowerShell or Cmd argument values. Adversaries employ this
 11technique via compromised websites with browser injects, posing either as fake CAPTCHAs to access the site or as a page
 12loading error requiring a fix to display the page. The victim is instructed to copy and past a malicious command to
 13the Windows Run dialog box.
 14"""
 15from = "now-9m"
 16index = [
 17    "logs-endpoint.events.process-*",
 18    "logs-crowdstrike.fdr*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-system.security*",
 22    "logs-windows.forwarded*",
 23    "logs-windows.sysmon_operational-*",
 24    "winlogbeat-*",
 25]
 26language = "eql"
 27license = "Elastic License v2"
 28name = "Potential Fake CAPTCHA Phishing Attack"
 29note = """## Triage and analysis
 30
 31> **Disclaimer**:
 32> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 33
 34### Investigating Potential Fake CAPTCHA Phishing Attack
 35
 36### Possible investigation steps
 37
 38- Review the process command line and arguments to identify any malicious intent.
 39- Review web activity preceeding the alert to identify the initial vector.
 40- Investigate any network activity or child processes from the suspected process.
 41- Correlate the event with other security alerts or logs from the same host or user to identify patterns or additional indicators of compromise.
 42- Assess the risk and impact of the detected activity by considering the context of the environment, such as the presence of sensitive data or critical systems that might be affected.
 43
 44### False positive analysis
 45
 46- Legitimate administrative scripts containing the suspicious keywords such as CAPTCHA.
 47
 48### Response and remediation
 49
 50- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
 51- Terminate any suspicious processes identified by the detection rule to halt ongoing malicious activities.
 52- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads or scripts.
 53- Review and clean up any unauthorized changes to system configurations or scheduled tasks that may have been altered by the malicious PowerShell activity.
 54- Restore any affected files or system components from known good backups to ensure system integrity and functionality.
 55- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.
 56- Implement additional monitoring and logging for PowerShell activities across the network to enhance detection of similar threats in the future."""
 57risk_score = 73
 58rule_id = "fbad57ec-4442-48db-a34f-5ee907b44a22"
 59severity = "high"
 60tags = [
 61    "Domain: Endpoint",
 62    "OS: Windows",
 63    "Use Case: Threat Detection",
 64    "Tactic: Execution",
 65    "Data Source: Windows Security Event Logs",
 66    "Data Source: Elastic Defend",
 67    "Data Source: Sysmon",
 68    "Data Source: SentinelOne",
 69    "Data Source: Microsoft Defender for Endpoint",
 70    "Data Source: Crowdstrike",
 71    "Resources: Investigation Guide",
 72]
 73timestamp_override = "event.ingested"
 74type = "eql"
 75
 76query = '''
 77process where host.os.type == "windows" and event.type == "start" and
 78 process.name : ("powershell.exe", "cmd.exe", "mshta.exe") and process.parent.name : "explorer.exe" and
 79 process.command_line : ("*recaptcha *", "*CAPTCHA Verif*", "*complete verification*", "*Verification ID*", "*Verification Code*", "*Verification UID*",
 80                         "*hυmаn vаlіdаtiοn*", "*human ID*", "*Action Identificator*", "*not a robot*", "*Click OK to*", "*anti-robot test*",
 81                         "*Cloudflare ID*")
 82'''
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1059"
 89name = "Command and Scripting Interpreter"
 90reference = "https://attack.mitre.org/techniques/T1059/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1059.001"
 93name = "PowerShell"
 94reference = "https://attack.mitre.org/techniques/T1059/001/"
 95
 96[[rule.threat.technique.subtechnique]]
 97id = "T1059.003"
 98name = "Windows Command Shell"
 99reference = "https://attack.mitre.org/techniques/T1059/003/"
100
101
102
103[rule.threat.tactic]
104id = "TA0002"
105name = "Execution"
106reference = "https://attack.mitre.org/tactics/TA0002/"
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1218"
113name = "System Binary Proxy Execution"
114reference = "https://attack.mitre.org/techniques/T1218/"
115[[rule.threat.technique.subtechnique]]
116id = "T1218.005"
117name = "Mshta"
118reference = "https://attack.mitre.org/techniques/T1218/005/"
119
120
121
122[rule.threat.tactic]
123id = "TA0005"
124name = "Defense Evasion"
125reference = "https://attack.mitre.org/tactics/TA0005/"
126
127
128[[rule.threat]]
129framework = "MITRE ATT&CK"
130[[rule.threat.technique]]
131id = "T1566"
132name = "Phishing"
133reference = "https://attack.mitre.org/techniques/T1566/"
134[[rule.threat.technique.subtechnique]]
135id = "T1566.001"
136name = "Spearphishing Attachment"
137reference = "https://attack.mitre.org/techniques/T1566/001/"
138
139
140
141[rule.threat.tactic]
142id = "TA0001"
143name = "Initial Access"
144reference = "https://attack.mitre.org/tactics/TA0001/"```