FileFix - Suspicious Child Process from Browser File Upload Abuse

Rule Info

Name
FileFix - Suspicious Child Process from Browser File Upload Abuse
Author
0xFustang
Description
Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique, where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar. The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.
Reference
https://mrd0x.com/filefix-clickfix-alternative/
Date
2025-06-26 00:00:00
Modified
2025-06-30 00:00:00
Id
4be03877-d5b6-4520-85c9-a5911c0a656c
Tags
attack.execution attack.t1204.004
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=4be03877-d5b6-4520-85c9-a5911c0a656c

Rule History

Author
Title
Date
Commit
Alfie Champion
Merge PR #5503 from @ajpc500 - include cmd.exe child process
2025-07-01
8d18ec7df
Mathieu
Merge PR #5501 from @0xFustang - FileFix - Suspicious Sub-processes Spawned by Web Browsers
2025-06-27
c11a78597
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022