Query Details

File Fix Detection

Query

// FileFix - Social Engineering Attack Detection
// https://mrd0x.com/filefix-clickfix-alternative/

let MonitoredCommands = dynamic(["powershell","pwsh","regsvr32","bitsadmin","certutil", "mshta"]);
let BrowserList = dynamic(["chrome","msedge","firefox","brave"]);
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName has_any(MonitoredCommands) and InitiatingProcessFileName has_any(BrowserList)

Explanation

This query is designed to detect potential social engineering attacks by monitoring specific command-line activities. Here's a simple breakdown:

  1. Monitored Commands: It focuses on certain command-line tools that are often used in attacks, such as "powershell", "pwsh", "regsvr32", "bitsadmin", "certutil", and "mshta".

  2. Browser List: It looks for these commands being initiated by web browsers like "chrome", "msedge", "firefox", and "brave".

  3. Time Frame: The query examines events that have occurred within the last hour.

  4. Data Source: It uses the DeviceProcessEvents table to find relevant events.

  5. Filter Criteria: It filters the events to find instances where any of the monitored commands were executed and were initiated by any of the listed browsers.

In summary, this query is searching for instances where potentially suspicious command-line tools are being run as a result of actions taken in a web browser, which could indicate a social engineering attack.

Details

Steven Lim profile picture

Steven Lim

Released: June 24, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampFileNameInitiating

Operators

letdynamicDeviceProcessEvents|where>agohas_anyand

Actions

GitHub