Merge pull request #3526 from splunk/captcha

CAPTCHA if you Can

Author: nasbench

detections/endpoint/detect_mshta_url_in_command_line.yml

@@ -1,7 +1,7 @@
 name: Detect MSHTA Url in Command Line
 id: 9b3af1e6-5b68-11eb-ae93-0242ac130002
-version: '13'
-date: '2025-05-06'
+version: 13
+date: '2025-05-19'
 author: Michael Haag, Splunk
 status: production
 type: TTP

detections/endpoint/lolbas_with_network_traffic.yml

@@ -1,7 +1,7 @@
 name: LOLBAS With Network Traffic
 id: 2820f032-19eb-497e-8642-25b04a880359
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-05-19'
 author: Steven Dick
 status: production
 type: TTP
@@ -77,6 +77,7 @@ tags:
   analytic_story:
     - Living Off The Land
     - Water Gamayun
+    - Fake CAPTCHA Campaigns
   asset_type: Endpoint
   mitre_attack_id:
     - T1105

detections/endpoint/powershell_4104_hunting.yml

@@ -1,7 +1,7 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
-version: '17'
-date: '2025-05-06'
+version: 17
+date: '2025-05-02'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -59,25 +59,25 @@ references:
 - https://adlumin.com/post/powerdrop-a-new-insidious-powershell-script-for-command-and-control-attacks-targets-u-s-aerospace-defense-industry/
 tags:
   analytic_story:
-  - CISA AA23-347A
-  - China-Nexus Threat Activity
-  - Data Destruction
-  - PHP-CGI RCE Attack on Japanese Organizations
-  - Hermetic Wiper
-  - Medusa Ransomware
-  - Braodo Stealer
-  - Cleo File Transfer Software
-  - Lumma Stealer
-  - Salt Typhoon
-  - Cactus Ransomware
-  - Malicious PowerShell
-  - Water Gamayun
-  - XWorm
-  - Flax Typhoon
-  - CISA AA24-241A
-  - Rhysida Ransomware
-  - SystemBC
-  - DarkGate Malware
+    - Braodo Stealer
+    - Cactus Ransomware
+    - China-Nexus Threat Activity
+    - CISA AA23-347A
+    - CISA AA24-241A
+    - Cleo File Transfer Software
+    - DarkGate Malware
+    - Data Destruction
+    - Flax Typhoon
+    - Hermetic Wiper
+    - Lumma Stealer
+    - Malicious PowerShell
+    - Medusa Ransomware
+    - Rhysida Ransomware
+    - Salt Typhoon
+    - SystemBC
+    - PHP-CGI RCE Attack on Japanese Organizations
+    - Water Gamayun
+    - XWorm
   asset_type: Endpoint
   mitre_attack_id:
   - T1059.001

detections/endpoint/windows_powershell_fakecaptcha_clipboard_execution.yml

@@ -0,0 +1,91 @@
+name: Windows PowerShell FakeCAPTCHA Clipboard Execution
+id: d81d4d3d-76b5-4f21-ab51-b17d5164c106
+version: 1
+date: '2025-05-14'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+description: This detection identifies potential FakeCAPTCHA/ClickFix clipboard hijacking campaigns by looking for PowerShell execution with hidden window parameters and distinctive strings related to fake CAPTCHA verification. These campaigns use social engineering to trick users into pasting malicious PowerShell commands from their clipboard, typically delivering information stealers or remote access trojans.
+data_source:
+- Sysmon EventID 1
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) 
+  as lastTime FROM datamodel=Endpoint.Processes where `process_powershell`
+  AND Processes.process="*-w*h*"
+  AND (
+      (Processes.process IN ("*robot*", "*captcha*", "*verify*", "*security check*", "*complete verification*"))
+      OR
+      (
+        (Processes.process IN ("*iwr *", "*Invoke-WebRequest*", "*wget *", "*curl *", "*Net.WebClient*", "*DownloadString*", "*[Convert]::FromBase64String*"))
+        AND 
+        (Processes.process IN ("*iex*", "*Invoke-Expression*"))
+        AND
+        (Processes.process IN ("*click*", "*verify*", "*check*", "*human*", "*bot*", "*token*", "*challenge*"))
+      )
+      OR
+      (
+        Processes.process="*clipboard*" 
+        AND Processes.process="*iex*" 
+        AND (Processes.process="*FromBase64String*" OR Processes.process="*decode*")
+      )
+  )
+  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process 
+  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id 
+  Processes.parent_process_name Processes.parent_process_path Processes.process 
+  Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id 
+  Processes.process_integrity_level Processes.process_name Processes.process_path 
+  Processes.user Processes.user_id Processes.vendor_product
+  | `drop_dm_object_name(Processes)` 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `windows_powershell_fakecaptcha_clipboard_execution_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, process path, and command-line executions from your endpoints. If you are using Sysmon, you must have at least Sysmon version 6.0.4 with EventID 1 configured. The full command line arguments are necessary for proper detection.
+known_false_positives: Legitimate PowerShell commands that use hidden windows for automation tasks may trigger this detection. The search specifically looks for patterns typical of FakeCAPTCHA campaigns. You may need to add additional exclusions for legitimate administrative activities in your environment by modifying the filter macro.
+references:
+- https://urlhaus.abuse.ch/
+- https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
+- https://reliaquest.com/blog/using-captcha-for-compromise/
+- https://attack.mitre.org/techniques/T1204/001/
+- https://github.com/MHaggis/ClickGrab
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") 
+    starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime 
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" 
+    values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" 
+    values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object 
+    | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A potential FakeCAPTCHA/ClickFix campaign execution was detected on $dest$ running a PowerShell command with hidden window and suspicious verification strings typical of social engineering attacks.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 80
+  threat_objects:
+  - field: process
+    type: process
+tags:
+  analytic_story:
+  - Fake CAPTCHA Campaigns
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1059.001
+  - T1204.001
+  - T1059.003
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+  cve: []
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/captcha_windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/windows_runmru_command_execution.yml

@@ -1,7 +1,7 @@
 name: Windows RunMRU Command Execution
 id: a15aa1ab-2b79-467f-8201-65e0f32d5b1a
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-05-14'
 author: Nasreddine Bencherchali, Michael Haag, Splunk
 data_source:
 - Sysmon EventID 12
@@ -66,6 +66,7 @@ rba:
 tags:
   analytic_story:
   - Lumma Stealer
+  - Fake CAPTCHA Campaigns
   asset_type: Endpoint
   mitre_attack_id:
   - T1202

stories/fake_captcha_campaigns.yml

@@ -0,0 +1,22 @@
+name: Fake CAPTCHA Campaigns
+id: b6578255-250a-4620-8e5e-7946e11ac2e9
+version: 1
+status: production
+date: '2025-05-14'
+author: Michael Haag, Splunk
+description: This analytic story addresses the emerging threat of Fake CAPTCHA and ClickFix campaigns that exploit users' familiarity with verification systems to deliver malware through clipboard manipulation techniques. First observed in early 2024 and increasing through 2025, these campaigns use deceptive interfaces that mimic legitimate CAPTCHA systems to trick users into executing malicious commands.
+narrative: Fake CAPTCHA campaigns represent a sophisticated evolution in social engineering attacks that rely entirely on manipulating user behavior rather than exploiting technical vulnerabilities. These attacks begin with victims landing on malicious websites through phishing emails, malvertising, or compromised legitimate sites. The site presents what appears to be a standard CAPTCHA verification interface with familiar branding from Google reCAPTCHA or Cloudflare. When users interact with the fake CAPTCHA, malicious JavaScript silently copies commands to their clipboard. Users are then instructed to perform additional verification steps such as pressing Windows+R followed by Ctrl+V, unknowingly pasting and executing malicious commands. These commands typically download and run additional malware using PowerShell scripts that operate in hidden windows. Common payloads include information stealers (Lumma, Redline, Vidar, PureLog), Remote Access Trojans (NetSupport, XWorm, AsyncRAT, Quasar), and multi-stage payloads that can deploy multiple malware families from a single infection.
+references:
+- https://urlhaus.abuse.ch/
+- https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
+- https://reliaquest.com/blog/using-captcha-for-compromise/
+- https://attack.mitre.org/techniques/T1204/001/
+- https://github.com/MHaggis/ClickGrab
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection