Potential Fake CAPTCHA Phishing Attack

  1[metadata]
  2creation_date = "2025/08/19"
  3integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies potential fake CAPTCHA phishing attacks based on PowerShell, Cmd, or Mshta command-line values. Adversaries employ this
 11technique via compromised websites with browser injects, posing either as fake CAPTCHAs to access the site or as a page
 12loading error requiring a fix to display the page. The victim is instructed to copy and paste a malicious command to
 13the Windows Run dialog box.
 14"""
 15from = "now-9m"
 16index = [
 17    "logs-endpoint.events.process-*",
 18    "logs-crowdstrike.fdr*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-system.security*",
 22    "logs-windows.forwarded*",
 23    "logs-windows.sysmon_operational-*",
 24    "winlogbeat-*",
 25]
 26language = "eql"
 27license = "Elastic License v2"
 28name = "Potential Fake CAPTCHA Phishing Attack"
 29risk_score = 73
 30rule_id = "fbad57ec-4442-48db-a34f-5ee907b44a22"
 31severity = "high"
 32tags = [
 33    "Domain: Endpoint",
 34    "OS: Windows",
 35    "Use Case: Threat Detection",
 36    "Tactic: Execution",
 37    "Data Source: Windows Security Event Logs",
 38    "Data Source: Elastic Defend",
 39    "Data Source: Sysmon",
 40    "Data Source: SentinelOne",
 41    "Data Source: Microsoft Defender XDR",
 42    "Data Source: Crowdstrike",
 43    "Resources: Investigation Guide",
 44]
 45timestamp_override = "event.ingested"
 46type = "eql"
 47
 48query = '''
 49process where host.os.type == "windows" and event.type == "start" and
 50 process.name : ("powershell.exe", "cmd.exe", "mshta.exe") and process.parent.name : "explorer.exe" and
 51 process.command_line : ("*recaptcha *", "*CAPTCHA Verif*", "*complete verification*", "*Verification ID*", "*Verification Code*", "*Verification UID*",
 52                         "*hυmаn vаlіdаtiοn*", "*human ID*", "*Action Identificator*", "*not a robot*", "*Click OK to*", "*anti-robot test*",
 53                         "*Cloudflare ID*")
 54'''
 55
 56note = """## Triage and analysis
 57
 58### Investigating Potential Fake CAPTCHA Phishing Attack
 59#### Possible investigation steps
 60
 61- What does the pasted command do after the CAPTCHA or verification text?
 62  - Why: lure text is the wrapper; payload behavior separates clickfix execution from testing or inert copy text.
 63  - Focus: `process.name`, `process.command_line`, `process.parent.name`, and `process.parent.command_line` for URLs, encoded content, inline script, archive handling, or handoff to "mshta.exe", "cmd.exe", or "powershell.exe".
 64  - Hint: fake-update or page-fix wording is the same abuse path when the command downloads, decodes, or hands execution to another utility.
 65  - Implication: escalate when the command downloads content, rebuilds a payload, invokes another script host, or hides work after CAPTCHA wording; lower suspicion only for a bounded authorized simulation or lab command with no second-stage behavior.
 66
 67- Is the shell or proxy binary and launch context consistent with paste-and-run clickfix?
 68  - Focus: `process.executable`, `process.parent.executable`, `process.parent.command_line`, and `user.id`.
 69  - Implication: escalate faster when the binary is renamed, user-writable, or launched from an unusual parent context for the user; a native shell path confirms identity but does not clear suspicious command content.
 70
 71- Do children from the alerting instance show payload execution or follow-on tooling?
 72  - Focus: child starts where `process.parent.entity_id` maps to `process.entity_id`, reviewing child `process.executable` and `process.command_line`. $investigate_2
 73  - Hint: if `process.entity_id` is absent, recover children with `host.id` + `process.pid` in a tight alert-time window and treat the match as weaker.
 74  - Implication: escalate when the same shell or "mshta.exe" starts installers, script hosts, archive tools, credential tooling, or more shells; no children reduce scope only if command intent and artifact/destination evidence also stay bounded.
 75
 76- If file telemetry is available, did the process stage scripts, HTAs, archives, or payloads?
 77  - Focus: process-scoped file events using `host.id` + `process.entity_id`, or `host.id` + `process.pid` as fallback, reviewing `file.path`, `file.origin_url`, and `file.Ext.windows.zone_identifier`. $investigate_4
 78  - Implication: escalate when artifacts land in temp, downloads, desktop, public, startup, or other user-writable paths, carry internet provenance, or later execute; missing file telemetry is unresolved, not benign.
 79
 80- If network telemetry is available, did the process retrieve payloads or contact callbacks?
 81  - Focus: process-scoped network events using `host.id` + `process.entity_id`, separating DNS `dns.question.name` from connection `destination.ip` / `destination.port`. $investigate_3
 82  - Hint: if `process.entity_id` is absent, use `host.id` + `process.pid` and a tight alert-time window. Missing network telemetry is unresolved, not benign.
 83  - Implication: escalate when the same process reaches rare public domains, direct IPs, paste/file hosts, or service ports fitting retrieval or callback behavior; lower suspicion only when destinations belong to the same authorized simulation or lab workflow.
 84
 85- Do surrounding process events explain the lure path into "explorer.exe"?
 86  - Focus: same `host.id` and `user.id` process timeline, especially browser, chat, mail, archive, or download-manager starts in `process.name`, `process.parent.executable`, and `process.parent.command_line`. $investigate_5
 87  - Implication: escalate when a browser/chat/download chain immediately precedes the paste-run shell or no controlled source explains the lure; lower suspicion when the sequence matches a planned awareness platform or lab harness and the command remains bounded.
 88
 89- If local findings stay suspicious or unresolved, do related alerts change scope?
 90  - Focus: recent alerts for the same `host.id`, then `user.id`, emphasizing reuse of the command fragment, shell/proxy binary, recovered artifact, destination, or persistence chain. $investigate_0
 91  - Hint: use the user view after the host view, or when a shared host needs actor scoping for the command or lure pattern. $investigate_1
 92  - Implication: broaden response when related alerts show the same lure-driven execution pattern on this host or user; quiet alert history does not close the case without a telemetry-backed benign workflow.
 93
 94- Escalate on clickfix command intent plus suspicious children, staged artifacts, process-scoped destinations, delivery context, or related alerts; close only when alert-local evidence and recovery bind one authorized simulation or lab workflow with no contradiction; if evidence is mixed or visibility incomplete, preserve evidence and escalate.
 95
 96### False positive analysis
 97
 98- Security-awareness, phishing-simulation, red-team, malware-analysis, browser-security, and QA labs can intentionally execute fake CAPTCHA samples. Confirm one exact workflow: stable `process.command_line` fragment, expected `process.executable` and `process.parent.name`, bounded `user.id` / `host.id`, and recovered children, artifacts, and destinations that stay inside the exercise or lab set.
 99- Without exercise or lab records, close only when telemetry proves the same command fragment, parent context, `user.id`, `host.id`, and recovered evidence stayed bounded across prior alerts from this rule. Do not close when child execution, artifact staging, destination activity, or related alerts contradict the expected workflow.
100- Build exceptions only from the minimum confirmed workflow: command fragment, process identity, parent context, `user.id`, `host.id`, and any recovered artifact or destination pattern. Avoid exceptions on lure text, "explorer.exe", `process.name`, or a user alone.
101
102### Response and remediation
103
104- If confirmed benign, reverse temporary containment and record the command, process identity, parent context, `user.id`, `host.id`, and recovered supporting evidence that proved the authorized simulation or lab workflow. Create an exception only when that exact workflow recurs.
105- If suspicious but unconfirmed, export the alert, process tree, `process.entity_id`, `process.command_line`, child command lines, volatile state, and any recovered artifact paths, domains, IPs, or ports before containment. Apply reversible controls first, such as temporary destination blocks, browser-session reset, heightened monitoring, or endpoint isolation when retrieval, staging, or second-stage execution makes continued connectivity risky.
106- If confirmed malicious, isolate the host when command intent plus child, artifact, or destination evidence establishes compromise. Terminate the malicious shell, "mshta.exe", or follow-on children only after evidence is recorded, then block confirmed domains, IPs, hashes, or URLs and reset credentials only if the investigation shows account misuse.
107- Eradicate only the staged scripts, HTAs, archives, payloads, or persistence artifacts found during the investigation, then remediate the web, chat, mail, or download path that led the user to run the lure.
108- Post-incident hardening: retain process, file, and network telemetry needed for future clickfix triage; review browser protections, clipboard/paste execution controls, and user-awareness coverage; record the confirmed lure wording and paste-run chain in the case notes.
109"""
110
111setup = """## Setup
112
113This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
114
115Setup instructions: https://ela.st/install-elastic-defend
116
117### Additional data sources
118
119This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
120
121- [CrowdStrike](https://ela.st/crowdstrike-integration)
122- [Microsoft Defender XDR](https://ela.st/m365-defender)
123- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
124- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
125- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
126"""
127
128[rule.investigation_fields]
129field_names = [
130    "@timestamp",
131    "host.name",
132    "host.id",
133    "user.id",
134    "process.name",
135    "process.executable",
136    "process.command_line",
137    "process.pid",
138    "process.entity_id",
139    "process.parent.name",
140    "process.parent.executable",
141    "process.parent.command_line",
142]
143
144[transform]
145
146[[transform.investigate]]
147label = "Alerts associated with the host"
148description = ""
149providers = [
150  [
151    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
152    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
153  ]
154]
155relativeFrom = "now-48h/h"
156relativeTo = "now"
157
158[[transform.investigate]]
159label = "Alerts associated with the user"
160description = ""
161providers = [
162  [
163    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
164    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
165  ]
166]
167relativeFrom = "now-48h/h"
168relativeTo = "now"
169
170[[transform.investigate]]
171label = "Child process starts from the same alerting instance"
172description = ""
173providers = [
174  [
175    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
176    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
177    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
178  ]
179]
180relativeFrom = "now-1h"
181relativeTo = "now"
182
183[[transform.investigate]]
184label = "Network activity for the alerting instance"
185description = ""
186providers = [
187  [
188    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
189    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
190    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
191  ]
192]
193relativeFrom = "now-1h"
194relativeTo = "now"
195
196[[transform.investigate]]
197label = "File activity for the alerting instance"
198description = ""
199providers = [
200  [
201    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
202    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
203    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
204  ]
205]
206relativeFrom = "now-1h"
207relativeTo = "now"
208
209[[transform.investigate]]
210label = "Process timeline for the host and user"
211description = ""
212providers = [
213  [
214    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
215    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
216    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
217  ]
218]
219relativeFrom = "now-1h"
220relativeTo = "now"
221
222[[rule.threat]]
223framework = "MITRE ATT&CK"
224
225[[rule.threat.technique]]
226id = "T1059"
227name = "Command and Scripting Interpreter"
228reference = "https://attack.mitre.org/techniques/T1059/"
229
230[[rule.threat.technique.subtechnique]]
231id = "T1059.001"
232name = "PowerShell"
233reference = "https://attack.mitre.org/techniques/T1059/001/"
234
235[[rule.threat.technique.subtechnique]]
236id = "T1059.003"
237name = "Windows Command Shell"
238reference = "https://attack.mitre.org/techniques/T1059/003/"
239
240[[rule.threat.technique]]
241id = "T1204"
242name = "User Execution"
243reference = "https://attack.mitre.org/techniques/T1204/"
244
245[[rule.threat.technique.subtechnique]]
246id = "T1204.004"
247name = "Malicious Copy and Paste"
248reference = "https://attack.mitre.org/techniques/T1204/004/"
249
250[rule.threat.tactic]
251id = "TA0002"
252name = "Execution"
253reference = "https://attack.mitre.org/tactics/TA0002/"
254
255[[rule.threat]]
256framework = "MITRE ATT&CK"
257
258[[rule.threat.technique]]
259id = "T1218"
260name = "System Binary Proxy Execution"
261reference = "https://attack.mitre.org/techniques/T1218/"
262
263[[rule.threat.technique.subtechnique]]
264id = "T1218.005"
265name = "Mshta"
266reference = "https://attack.mitre.org/techniques/T1218/005/"
267
268[rule.threat.tactic]
269id = "TA0005"
270name = "Defense Evasion"
271reference = "https://attack.mitre.org/tactics/TA0005/"
272
273[[rule.threat]]
274framework = "MITRE ATT&CK"
275
276[[rule.threat.technique]]
277id = "T1189"
278name = "Drive-by Compromise"
279reference = "https://attack.mitre.org/techniques/T1189/"
280
281[[rule.threat.technique]]
282id = "T1566"
283name = "Phishing"
284reference = "https://attack.mitre.org/techniques/T1566/"
285
286[[rule.threat.technique.subtechnique]]
287id = "T1566.001"
288name = "Spearphishing Attachment"
289reference = "https://attack.mitre.org/techniques/T1566/001/"
290
291[rule.threat.tactic]
292id = "TA0001"
293name = "Initial Access"
294reference = "https://attack.mitre.org/tactics/TA0001/"