Suspicious FileFix Execution Pattern

calendar Nov 27, 2025 · attack.execution attack.t1204.004  ·
Share on: linkedin copy

Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation. This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms, which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content. The clipboard content usually contains commands that download and execute malware, such as information stealing tools.

Sigma rule (View on GitHub)

 1title: Suspicious FileFix Execution Pattern
 2id: b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2
 3related:
 4    - id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70
 5      type: similar
 6    - id: 4be03877-d5b6-4520-85c9-a5911c0a656c
 7      type: obsolete
 8status: experimental
 9description: |
10    Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.
11    This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,
12    which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.
13    The clipboard content usually contains commands that download and execute malware, such as information stealing tools.    
14references:
15    - https://mrd0x.com/filefix-clickfix-alternative/
16    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/ # phishing lure directly asking users to open file explorer and paste command
17    - https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/
18author: 0xFustang, Swachchhanda Shrawan Poudel (Nextron Systems)
19date: 2025-11-24
20tags:
21    - attack.execution
22    - attack.t1204.004
23logsource:
24    category: process_creation
25    product: windows
26detection:
27    selection_exec_parent:
28        # This is case where phishing pages trick users to paste commands in browser file upload dialog
29        ParentImage|endswith:
30            - '\brave.exe'
31            - '\chrome.exe'
32            - '\firefox.exe'
33            - '\msedge.exe'
34        CommandLine|contains: '#'
35    selection_cli_lolbin:
36        CommandLine|contains:
37            - '%comspec%'
38            - 'bitsadmin'
39            - 'certutil'
40            - 'cmd'
41            - 'cscript'
42            - 'curl'
43            - 'finger'
44            - 'mshta'
45            - 'powershell'
46            - 'pwsh'
47            - 'regsvr32'
48            - 'rundll32'
49            - 'schtasks'
50            - 'wget'
51            - 'wscript'
52    selection_cli_captcha:
53        CommandLine|contains:
54            - 'account'
55            - 'anti-bot'
56            - 'botcheck'
57            - 'captcha'
58            - 'challenge'
59            - 'confirmation'
60            - 'fraud'
61            - 'human'
62            - 'identification'
63            - 'identificator'
64            - 'identity'
65            - 'robot'
66            - 'validation'
67            - 'verification'
68            - 'verify'
69    condition: selection_exec_parent and 1 of selection_cli_*
70falsepositives:
71    - Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools
72level: high

References

Related rules

to-top