FileFix - Suspicious Child Process from Browser File Upload Abuse

    Date: 06/30/2025

    Severity: Medium

    Summary

    Identifies potentially suspicious subprocesses, such as LOLBINs, that are launched by web browsers. This behavior may indicate the use of the "FileFix" social engineering technique, in which victims are deceived into opening File Explorer through a browser-based phishing page and unknowingly pasting malicious commands into the address bar. The method leverages clipboard manipulation and disguises the execution of system utilities as routine file path navigation, enabling covert command execution.

    Indicators of Compromise (IOC) List 

    Processname

    '\powershell.exe'

    '\pwsh.exe'

    '\regsvr32.exe'

    '\bitsadmin.exe'

    '\certutil.exe'

    '\mshta.exe'

    ParentProcessname

    '\chrome.exe'

    '\msedge.exe'

    '\firefox.exe'

    '\brave.exe'

    Commandline

    '#'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    ((resourcename = "Windows Security"  AND eventtype = "4688") AND ((processname like "\powershell.exe" OR processname like "\pwsh.exe" OR processname like "\regsvr32.exe" OR processname like "\bitsadmin.exe" OR processname like "\certutil.exe" OR processname like "\mshta.exe") AND (parentprocessname like "\chrome.exe" OR parentprocessname like "\msedge.exe" OR parentprocessname like "\firefox.exe" OR parentprocessname like "\brave.exe")) AND commandline like "#")

    Detection Query 2 : 

    (technologygroup = "EDR" AND ((processname like "\powershell.exe" OR processname like "\pwsh.exe" OR processname like "\regsvr32.exe" OR processname like "\bitsadmin.exe" OR processname like "\certutil.exe" OR processname like "\mshta.exe") AND (parentprocessname like "\chrome.exe" OR parentprocessname like "\msedge.exe" OR parentprocessname like "\firefox.exe" OR parentprocessname like "\brave.exe")) AND commandline like "#")

    Reference:    

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_filefix_browsers.yml


    Tags

    FileFixSigmaLOLOBINSocial Engineering

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags