
Summary
The 'FileFix - Suspicious Child Process from Browser File Upload Abuse' detection rule aims to identify suspicious subprocess activities associated with web browsers, particularly targeting known living-off-the-land binaries (LOLBINs). These subprocesses might indicate potentially malicious behaviors stemming from social engineering attacks that leverage browser-based phishing techniques. The rule specifically looks for scenarios where popular web browsers (Chrome, Edge, Firefox, and Brave) serve as the parent process for certain utilities or executables (like PowerShell or CertUtil) that are typically not launched directly by users. The malicious activity is characterized by the presence of a 'CommandLine' argument, including a '#' character, which is indicative of command manipulations designed to exploit the clipboard functionality, covertly executing malicious commands disguised as file path access. This rule targets such malicious command executions, helping to secure systems against abuse under the premise of benign browser activity.
Categories
- Endpoint
- Web
Data Sources
- Process
Created: 2025-06-26