Potential Execution via FileFix Phishing Attack

  1[metadata]
  2creation_date = "2025/08/20"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of Windows commands or downloaded files via the browser's dialog box. Adversaries may use
 11phishing to instruct the victim to copy and paste malicious commands for execution via crafted phishing web pages.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.process-*",
 16    "logs-m365_defender.event-*",
 17    "logs-sentinel_one_cloud_funnel.*",
 18    "logs-windows.sysmon_operational-*",
 19    "winlogbeat-*"
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Potential Execution via FileFix Phishing Attack"
 24references = ["https://mrd0x.com/filefix-clickfix-alternative/"]
 25risk_score = 73
 26rule_id = "7dc45430-7407-4790-b89e-c857c3f6bf23"
 27severity = "high"
 28tags = [
 29    "Domain: Endpoint",
 30    "OS: Windows",
 31    "Use Case: Threat Detection",
 32    "Tactic: Execution",
 33    "Data Source: Windows Security Event Logs",
 34    "Data Source: Elastic Defend",
 35    "Data Source: Sysmon",
 36    "Data Source: SentinelOne",
 37    "Data Source: Microsoft Defender XDR",
 38    "Resources: Investigation Guide",
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42
 43query = '''
 44process where host.os.type == "windows" and event.type == "start" and
 45 process.parent.args == "--message-loop-type-ui" and process.parent.args == "--service-sandbox-type=none" and
 46 (
 47  process.name : ("pwsh.exe", "powershell.exe", "curl.exe", "msiexec.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "certutil.exe", "certreq.exe") or
 48  process.executable : "?:\\Users\\*\\Downloads\\*"
 49  ) and
 50not (process.name : "rundll32.exe" and process.args : ("ndfapi.dll,NdfRunDllDiagnoseWithAnswerFile", "shwebsvc.dll,AddNetPlaceRunDll"))
 51'''
 52
 53note = """## Triage and analysis
 54
 55### Investigating Potential Execution via FileFix Phishing Attack
 56
 57#### Possible investigation steps
 58
 59- Does the alert show the FileFix browser-to-Explorer execution path?
 60  - Focus: alert-local `process.parent.executable`, `process.parent.args`, `process.name`, `process.executable`, and `process.command_line`.
 61  - Implication: escalate when a Chromium-style file-picker parent using "--message-loop-type-ui" and "--service-sandbox-type=none" launches PowerShell, curl, certutil, certreq, msiexec, mshta, rundll32, wscript, cscript, or a "?:\\Users\\*\\Downloads\\*" executable; lower suspicion only when the child is a signed installer or diagnostic tool and the parent/command shape matches a recognized browser-initiated support or install flow.
 62- Is the launched child the expected binary for that workflow?
 63  - Focus: `process.executable`, `process.pe.original_file_name`, `process.code_signature.subject_name`, and `process.code_signature.trusted`; recover absent values from same-process events. $investigate_0
 64  - Implication: escalate when the path is user-writable or signer/original name mismatches the expected tool; lower identity risk when signer, original name, path, and known hash history fit, but continue command-intent checks.
 65- Does the command line reveal pasted-command social engineering?
 66  - Focus: `process.command_line` and `process.name`.
 67  - Implication: escalate when the command hides execution before a fake path or comment, invokes PowerShell or a LOLBin to retrieve/run content, or starts a "%USERPROFILE%\\Downloads" payload directly; lower suspicion only when arguments open the signed installer or diagnostic tool with no hidden command, URL, or shell operator.
 68- Does a Downloads-path child look newly staged or renamed?
 69  - Focus: `process.executable`, `process.Ext.relative_file_creation_time`, `process.Ext.relative_file_name_modify_time`, `process.code_signature.thumbprint_sha256`, and same-process file writes/renames; recover absent process values from same-process events. $investigate_2
 70  - Hint: for the downloaded-EXE variant, process file-age is the recovery signal; absent file provenance does not make a Downloads path benign.
 71  - Implication: escalate when a Downloads or other user-profile executable runs shortly after creation or rename, especially with weak identity; lower suspicion when file age, stable signer, and path match the same recognized update or support workflow.
 72- Did the launched child spawn follow-on tools?
 73  - Focus: child process starts from `process.entity_id`, then descendant `process.executable` and `process.command_line`. $investigate_1
 74  - Hint: if entity IDs are unavailable, fall back to parent PID plus a tight alert-time window on the same host.
 75  - Implication: escalate when the chain fans out into shells, script hosts, installers, archive tools, or task/scheduler utilities; no descendants keeps scope local but does not clear suspicious command intent or identity mismatch.
 76- Did the launched child contact retrieval or staging destinations?
 77  - Focus: same-process network events for `destination.ip`, `destination.port`, and destination ownership when available. $investigate_3
 78  - Implication: escalate when PowerShell, curl, certutil, certreq, mshta, or another child reaches external staging, paste, storage, or command-and-control infrastructure; missing network telemetry is unresolved, not benign.
 79- If local evidence remains suspicious or unresolved, does the pattern recur for this user or host?
 80  - Focus: related alerts and process starts for the same `user.id` and `host.id`, comparing `process.parent.args` and child `process.command_line`.
 81  - Hint: review related user alerts with $investigate_4
 82  - Hint: review related host alerts with $investigate_5
 83  - Implication: broaden scope when the same browser-parented shell, LOLBin, or Downloads-path launch repeats for this user, host, or other users; keep the case local when it is isolated and the process evidence resolves cleanly.
 84- Escalate when ancestry, child identity, command intent, file age, descendants, network, or recurrence supports user-assisted command execution or downloaded payload launch; close only when process evidence shows a signed installer or diagnostic identity, non-hidden command shape, expected file age/path, no suspicious descendants, no suspicious network where telemetry exists, and no related spread; preserve evidence and escalate when facts conflict or remain incomplete.
 85
 86### False positive analysis
 87
 88- Signed browser-initiated installer/diagnostic workflows or authorized security tests can trigger. Confirm exact alignment across parent flags, child path, signer, hash, command line, user, host, timing, and absence of suspicious descendants; do not close on a ticket or owner statement if process evidence conflicts.
 89- Before creating an exception, require recurrence with stable `process.parent.executable`, `process.parent.args`, `process.executable`, `process.code_signature.thumbprint_sha256`, command-line shape, `user.id`, and `host.id`. Avoid exceptions on browser parentage, `process.name`, or Downloads-path execution alone.
 90
 91### Response and remediation
 92
 93- If suspicious but unconfirmed, first preserve the alert event, same-process event export, descendant process timeline, command-line text, parent context, child binary copy, hash and signature details, and the affected user/host identifiers.
 94- Apply reversible containment only after preservation, such as restricting the affected browser session or account, blocking the exact child hash, or quarantining the downloaded child binary. Escalate to host isolation only when command intent, identity, or descendants indicate likely payload execution.
 95- If confirmed malicious, isolate the host when the launched child or descendants executed payloads, then terminate the child and descendants after recording identifiers. Do not reset credentials from this alert alone; use identity response only when separate evidence proves credential exposure or account misuse.
 96- Eradicate only the downloaded executables, scripts, task utilities, or secondary payloads identified in the process timeline, then remediate the phishing page access or browser session that enabled the user-assisted execution.
 97- If confirmed benign, reverse temporary containment and document the exact parent flags, child identity, command shape, user, host, and outside confirmation that proved the workflow. Create an exception only after the stable bounded pattern recurs.
 98- Post-incident hardening: restrict direct execution from user download locations where feasible, warn on browser-file-picker social engineering, retain process telemetry needed for the pivots above, and document the FileFix variant observed in the case record."""
 99
100setup = """## Setup
101
102This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
103
104Setup instructions: https://ela.st/install-elastic-defend
105
106### Additional data sources
107
108This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
109
110- [Microsoft Defender XDR](https://ela.st/m365-defender)
111- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
112- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
113"""
114
115[rule.investigation_fields]
116field_names = [
117    "@timestamp",
118    "host.id",
119    "user.id",
120    "process.entity_id",
121    "process.pid",
122    "process.executable",
123    "process.command_line",
124    "process.pe.original_file_name",
125    "process.code_signature.subject_name",
126    "process.code_signature.trusted",
127    "process.code_signature.thumbprint_sha256",
128    "process.Ext.relative_file_creation_time",
129    "process.Ext.relative_file_name_modify_time",
130    "process.parent.executable",
131    "process.parent.command_line",
132]
133
134[transform]
135
136[[transform.investigate]]
137label = "Events for the launched process on this host"
138description = ""
139providers = [
140  [
141    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
142    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
143  ]
144]
145relativeFrom = "now-1h"
146relativeTo = "now"
147
148[[transform.investigate]]
149label = "Child process starts from the launched process"
150description = ""
151providers = [
152  [
153    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
154    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
155    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
156    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
157  ],
158  [
159    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
160    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" },
161    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
162    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
163  ]
164]
165relativeFrom = "now-1h"
166relativeTo = "now"
167
168[[transform.investigate]]
169label = "File events for the launched process"
170description = ""
171providers = [
172  [
173    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
174    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
175    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
176  ],
177  [
178    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
179    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
180    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
181  ]
182]
183relativeFrom = "now-1h"
184relativeTo = "now"
185
186[[transform.investigate]]
187label = "Network events for the launched process"
188description = ""
189providers = [
190  [
191    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
192    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
193    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
194  ],
195  [
196    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
197    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
198    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" }
199  ]
200]
201relativeFrom = "now-1h"
202relativeTo = "now"
203
204[[transform.investigate]]
205label = "Alerts associated with the user"
206description = ""
207providers = [
208  [
209    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
210    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
211  ]
212]
213relativeFrom = "now-48h/h"
214relativeTo = "now"
215
216[[transform.investigate]]
217label = "Alerts associated with the host"
218description = ""
219providers = [
220  [
221    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
222    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
223  ]
224]
225relativeFrom = "now-48h/h"
226relativeTo = "now"
227
228[[rule.threat]]
229framework = "MITRE ATT&CK"
230
231[[rule.threat.technique]]
232id = "T1059"
233name = "Command and Scripting Interpreter"
234reference = "https://attack.mitre.org/techniques/T1059/"
235
236[[rule.threat.technique.subtechnique]]
237id = "T1059.001"
238name = "PowerShell"
239reference = "https://attack.mitre.org/techniques/T1059/001/"
240
241[[rule.threat.technique.subtechnique]]
242id = "T1059.003"
243name = "Windows Command Shell"
244reference = "https://attack.mitre.org/techniques/T1059/003/"
245
246[[rule.threat.technique]]
247id = "T1204"
248name = "User Execution"
249reference = "https://attack.mitre.org/techniques/T1204/"
250
251[[rule.threat.technique.subtechnique]]
252id = "T1204.002"
253name = "Malicious File"
254reference = "https://attack.mitre.org/techniques/T1204/002/"
255
256[[rule.threat.technique.subtechnique]]
257id = "T1204.004"
258name = "Malicious Copy and Paste"
259reference = "https://attack.mitre.org/techniques/T1204/004/"
260
261[rule.threat.tactic]
262id = "TA0002"
263name = "Execution"
264reference = "https://attack.mitre.org/tactics/TA0002/"
265
266[[rule.threat]]
267framework = "MITRE ATT&CK"
268
269[[rule.threat.technique]]
270id = "T1218"
271name = "System Binary Proxy Execution"
272reference = "https://attack.mitre.org/techniques/T1218/"
273
274[[rule.threat.technique.subtechnique]]
275id = "T1218.005"
276name = "Mshta"
277reference = "https://attack.mitre.org/techniques/T1218/005/"
278
279[rule.threat.tactic]
280id = "TA0005"
281name = "Defense Evasion"
282reference = "https://attack.mitre.org/tactics/TA0005/"
283
284[[rule.threat]]
285framework = "MITRE ATT&CK"
286
287[[rule.threat.technique]]
288id = "T1566"
289name = "Phishing"
290reference = "https://attack.mitre.org/techniques/T1566/"
291
292[[rule.threat.technique.subtechnique]]
293id = "T1566.001"
294name = "Spearphishing Attachment"
295reference = "https://attack.mitre.org/techniques/T1566/001/"
296
297[[rule.threat.technique.subtechnique]]
298id = "T1566.002"
299name = "Spearphishing Link"
300reference = "https://attack.mitre.org/techniques/T1566/002/"
301
302[rule.threat.tactic]
303id = "TA0001"
304name = "Initial Access"
305reference = "https://attack.mitre.org/tactics/TA0001/"