Potential Fake CAPTCHA Phishing Attack

[metadata]
creation_date = "2025/08/19"
integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
maturity = "production"
updated_date = "2026/05/03"

[rule]
author = ["Elastic"]
description = """
Identifies potential fake CAPTCHA phishing attacks based on PowerShell, Cmd, or Mshta command-line values. Adversaries employ this
technique via compromised websites with browser injects, posing either as fake CAPTCHAs to access the site or as a page
loading error requiring a fix to display the page. The victim is instructed to copy and paste a malicious command to
the Windows Run dialog box.
"""
from = "now-9m"
index = [
    "logs-endpoint.events.process-*",
    "logs-crowdstrike.fdr*",
    "logs-m365_defender.event-*",
    "logs-sentinel_one_cloud_funnel.*",
    "logs-system.security*",
    "logs-windows.forwarded*",
    "logs-windows.sysmon_operational-*",
    "winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
name = "Potential Fake CAPTCHA Phishing Attack"
risk_score = 73
rule_id = "fbad57ec-4442-48db-a34f-5ee907b44a22"
severity = "high"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Execution",
    "Data Source: Windows Security Event Logs",
    "Data Source: Elastic Defend",
    "Data Source: Sysmon",
    "Data Source: SentinelOne",
    "Data Source: Microsoft Defender XDR",
    "Data Source: Crowdstrike",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "windows" and event.type == "start" and
 process.name : ("powershell.exe", "cmd.exe", "mshta.exe") and process.parent.name : "explorer.exe" and
 process.command_line : ("*recaptcha *", "*CAPTCHA Verif*", "*complete verification*", "*Verification ID*", "*Verification Code*", "*Verification UID*",
                         "*hυmаn vаlіdаtiοn*", "*human ID*", "*Action Identificator*", "*not a robot*", "*Click OK to*", "*anti-robot test*",
                         "*Cloudflare ID*")
'''

note = """## Triage and analysis

### Investigating Potential Fake CAPTCHA Phishing Attack
#### Possible investigation steps

- What does the pasted command do after the CAPTCHA or verification text?
  - Why: lure text is the wrapper; payload behavior separates clickfix execution from testing or inert copy text.
  - Focus: `process.name`, `process.command_line`, `process.parent.name`, and `process.parent.command_line` for URLs, encoded content, inline script, archive handling, or handoff to "mshta.exe", "cmd.exe", or "powershell.exe".
  - Hint: fake-update or page-fix wording is the same abuse path when the command downloads, decodes, or hands execution to another utility.
  - Implication: escalate when the command downloads content, rebuilds a payload, invokes another script host, or hides work after CAPTCHA wording; lower suspicion only for a bounded authorized simulation or lab command with no second-stage behavior.

- Is the shell or proxy binary and launch context consistent with paste-and-run clickfix?
  - Focus: `process.executable`, `process.parent.executable`, `process.parent.command_line`, and `user.id`.
  - Implication: escalate faster when the binary is renamed, user-writable, or launched from an unusual parent context for the user; a native shell path confirms identity but does not clear suspicious command content.

- Do children from the alerting instance show payload execution or follow-on tooling?
  - Focus: child starts where `process.parent.entity_id` maps to `process.entity_id`, reviewing child `process.executable` and `process.command_line`. $investigate_2
  - Hint: if `process.entity_id` is absent, recover children with `host.id` + `process.pid` in a tight alert-time window and treat the match as weaker.
  - Implication: escalate when the same shell or "mshta.exe" starts installers, script hosts, archive tools, credential tooling, or more shells; no children reduce scope only if command intent and artifact/destination evidence also stay bounded.

- If file telemetry is available, did the process stage scripts, HTAs, archives, or payloads?
  - Focus: process-scoped file events using `host.id` + `process.entity_id`, or `host.id` + `process.pid` as fallback, reviewing `file.path`, `file.origin_url`, and `file.Ext.windows.zone_identifier`. $investigate_4
  - Implication: escalate when artifacts land in temp, downloads, desktop, public, startup, or other user-writable paths, carry internet provenance, or later execute; missing file telemetry is unresolved, not benign.

- If network telemetry is available, did the process retrieve payloads or contact callbacks?
  - Focus: process-scoped network events using `host.id` + `process.entity_id`, separating DNS `dns.question.name` from connection `destination.ip` / `destination.port`. $investigate_3
  - Hint: if `process.entity_id` is absent, use `host.id` + `process.pid` and a tight alert-time window. Missing network telemetry is unresolved, not benign.
  - Implication: escalate when the same process reaches rare public domains, direct IPs, paste/file hosts, or service ports fitting retrieval or callback behavior; lower suspicion only when destinations belong to the same authorized simulation or lab workflow.

- Do surrounding process events explain the lure path into "explorer.exe"?
  - Focus: same `host.id` and `user.id` process timeline, especially browser, chat, mail, archive, or download-manager starts in `process.name`, `process.parent.executable`, and `process.parent.command_line`. $investigate_5
  - Implication: escalate when a browser/chat/download chain immediately precedes the paste-run shell or no controlled source explains the lure; lower suspicion when the sequence matches a planned awareness platform or lab harness and the command remains bounded.

- If local findings stay suspicious or unresolved, do related alerts change scope?
  - Focus: recent alerts for the same `host.id`, then `user.id`, emphasizing reuse of the command fragment, shell/proxy binary, recovered artifact, destination, or persistence chain. $investigate_0
  - Hint: use the user view after the host view, or when a shared host needs actor scoping for the command or lure pattern. $investigate_1
  - Implication: broaden response when related alerts show the same lure-driven execution pattern on this host or user; quiet alert history does not close the case without a telemetry-backed benign workflow.

- Escalate on clickfix command intent plus suspicious children, staged artifacts, process-scoped destinations, delivery context, or related alerts; close only when alert-local evidence and recovery bind one authorized simulation or lab workflow with no contradiction; if evidence is mixed or visibility incomplete, preserve evidence and escalate.

### False positive analysis

- Security-awareness, phishing-simulation, red-team, malware-analysis, browser-security, and QA labs can intentionally execute fake CAPTCHA samples. Confirm one exact workflow: stable `process.command_line` fragment, expected `process.executable` and `process.parent.name`, bounded `user.id` / `host.id`, and recovered children, artifacts, and destinations that stay inside the exercise or lab set.
- Without exercise or lab records, close only when telemetry proves the same command fragment, parent context, `user.id`, `host.id`, and recovered evidence stayed bounded across prior alerts from this rule. Do not close when child execution, artifact staging, destination activity, or related alerts contradict the expected workflow.
- Build exceptions only from the minimum confirmed workflow: command fragment, process identity, parent context, `user.id`, `host.id`, and any recovered artifact or destination pattern. Avoid exceptions on lure text, "explorer.exe", `process.name`, or a user alone.

### Response and remediation

- If confirmed benign, reverse temporary containment and record the command, process identity, parent context, `user.id`, `host.id`, and recovered supporting evidence that proved the authorized simulation or lab workflow. Create an exception only when that exact workflow recurs.
- If suspicious but unconfirmed, export the alert, process tree, `process.entity_id`, `process.command_line`, child command lines, volatile state, and any recovered artifact paths, domains, IPs, or ports before containment. Apply reversible controls first, such as temporary destination blocks, browser-session reset, heightened monitoring, or endpoint isolation when retrieval, staging, or second-stage execution makes continued connectivity risky.
- If confirmed malicious, isolate the host when command intent plus child, artifact, or destination evidence establishes compromise. Terminate the malicious shell, "mshta.exe", or follow-on children only after evidence is recorded, then block confirmed domains, IPs, hashes, or URLs and reset credentials only if the investigation shows account misuse.
- Eradicate only the staged scripts, HTAs, archives, payloads, or persistence artifacts found during the investigation, then remediate the web, chat, mail, or download path that led the user to run the lure.
- Post-incident hardening: retain process, file, and network telemetry needed for future clickfix triage; review browser protections, clipboard/paste execution controls, and user-awareness coverage; record the confirmed lure wording and paste-run chain in the case notes.
"""

setup = """## Setup

This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

### Additional data sources

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

- [CrowdStrike](https://ela.st/crowdstrike-integration)
- [Microsoft Defender XDR](https://ela.st/m365-defender)
- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
"""

[rule.investigation_fields]
field_names = [
    "@timestamp",
    "host.name",
    "host.id",
    "user.id",
    "process.name",
    "process.executable",
    "process.command_line",
    "process.pid",
    "process.entity_id",
    "process.parent.name",
    "process.parent.executable",
    "process.parent.command_line",
]

[transform]

[[transform.investigate]]
label = "Alerts associated with the host"
description = ""
providers = [
  [
    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
  ]
]
relativeFrom = "now-48h/h"
relativeTo = "now"

[[transform.investigate]]
label = "Alerts associated with the user"
description = ""
providers = [
  [
    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
  ]
]
relativeFrom = "now-48h/h"
relativeTo = "now"

[[transform.investigate]]
label = "Child process starts from the same alerting instance"
description = ""
providers = [
  [
    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
  ]
]
relativeFrom = "now-1h"
relativeTo = "now"

[[transform.investigate]]
label = "Network activity for the alerting instance"
description = ""
providers = [
  [
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
  ]
]
relativeFrom = "now-1h"
relativeTo = "now"

[[transform.investigate]]
label = "File activity for the alerting instance"
description = ""
providers = [
  [
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
  ]
]
relativeFrom = "now-1h"
relativeTo = "now"

[[transform.investigate]]
label = "Process timeline for the host and user"
description = ""
providers = [
  [
    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
  ]
]
relativeFrom = "now-1h"
relativeTo = "now"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"

[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"

[[rule.threat.technique.subtechnique]]
id = "T1059.003"
name = "Windows Command Shell"
reference = "https://attack.mitre.org/techniques/T1059/003/"

[[rule.threat.technique]]
id = "T1204"
name = "User Execution"
reference = "https://attack.mitre.org/techniques/T1204/"

[[rule.threat.technique.subtechnique]]
id = "T1204.004"
name = "Malicious Copy and Paste"
reference = "https://attack.mitre.org/techniques/T1204/004/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1218"
name = "System Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"

[[rule.threat.technique.subtechnique]]
id = "T1218.005"
name = "Mshta"
reference = "https://attack.mitre.org/techniques/T1218/005/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1189"
name = "Drive-by Compromise"
reference = "https://attack.mitre.org/techniques/T1189/"

[[rule.threat.technique]]
id = "T1566"
name = "Phishing"
reference = "https://attack.mitre.org/techniques/T1566/"

[[rule.threat.technique.subtechnique]]
id = "T1566.001"
name = "Spearphishing Attachment"
reference = "https://attack.mitre.org/techniques/T1566/001/"

[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"