KQL Search

Query Details

HomeAI ToolsDevice Query

File Fix Detection

Query

// FileFix - Social Engineering Attack Detection
// https://mrd0x.com/filefix-clickfix-alternative/

let MonitoredCommands = dynamic(["powershell","pwsh","regsvr32","bitsadmin","certutil"]);
let BrowserList = dynamic(["chrome","msedge","firefox","brave"]);
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName has_any(MonitoredCommands) and InitiatingProcessFileName has_any(BrowserList)

Explanation

This query is designed to detect potential social engineering attacks by monitoring specific command-line activities. Here's a simple breakdown:

  1. Monitored Commands: The query is looking for processes that involve certain command-line tools often used in attacks, such as "powershell," "pwsh," "regsvr32," "bitsadmin," and "certutil."

  2. Browser List: It focuses on processes that were initiated by popular web browsers like "chrome," "msedge," "firefox," and "brave."

  3. Time Frame: The query examines events that have occurred within the last hour.

  4. Data Source: It uses the DeviceProcessEvents table to find relevant process events.

In summary, this query identifies instances where specific command-line tools are executed shortly after being initiated by a web browser, which could indicate a social engineering attack attempt.

Details

Steven Lim profile picture

Steven Lim

Released: June 24, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampFileNameInitiatingProcessFileName

Operators

letdynamicDeviceProcessEvents|where>agohas_any

Actions