Date: 06/30/2025
Severity: Medium
Summary
Identifies potentially suspicious subprocesses, such as LOLBINs, that are launched by web browsers. This behavior may indicate the use of the "FileFix" social engineering technique, in which victims are deceived into opening File Explorer through a browser-based phishing page and unknowingly pasting malicious commands into the address bar. The method leverages clipboard manipulation and disguises the execution of system utilities as routine file path navigation, enabling covert command execution.
Indicators of Compromise (IOC) List
Processname | '\powershell.exe' '\pwsh.exe' '\regsvr32.exe' '\bitsadmin.exe' '\certutil.exe' '\mshta.exe' |
ParentProcessname | '\chrome.exe' '\msedge.exe' '\firefox.exe' '\brave.exe' |
Commandline | '#' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | ((resourcename = "Windows Security" AND eventtype = "4688") AND ((processname like "\powershell.exe" OR processname like "\pwsh.exe" OR processname like "\regsvr32.exe" OR processname like "\bitsadmin.exe" OR processname like "\certutil.exe" OR processname like "\mshta.exe") AND (parentprocessname like "\chrome.exe" OR parentprocessname like "\msedge.exe" OR parentprocessname like "\firefox.exe" OR parentprocessname like "\brave.exe")) AND commandline like "#") |
Detection Query 2 : | (technologygroup = "EDR" AND ((processname like "\powershell.exe" OR processname like "\pwsh.exe" OR processname like "\regsvr32.exe" OR processname like "\bitsadmin.exe" OR processname like "\certutil.exe" OR processname like "\mshta.exe") AND (parentprocessname like "\chrome.exe" OR parentprocessname like "\msedge.exe" OR parentprocessname like "\firefox.exe" OR parentprocessname like "\brave.exe")) AND commandline like "#") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_filefix_browsers.yml