« Potential External Linux SSH Brute Force Detected Potential File Download via a Headless Browser »
Elastic Docs Elastic Security [8.19] Detections and alerts Prebuilt rule reference

Potential Fake CAPTCHA Phishing Attack

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Potential Fake CAPTCHA Phishing Attack

edit

Identifies potential fake CAPTCHA phishing attacks based on PowerShell, Cmd, or Mshta command-line values. Adversaries employ this technique via compromised websites with browser injects, posing either as fake CAPTCHAs to access the site or as a page loading error requiring a fix to display the page. The victim is instructed to copy and paste a malicious command to the Windows Run dialog box.

Rule type: eql

Rule indices:

  • logs-endpoint.events.process-*
  • logs-crowdstrike.fdr*
  • logs-m365_defender.event-*
  • logs-sentinel_one_cloud_funnel.*
  • logs-system.security*
  • logs-windows.forwarded*
  • logs-windows.sysmon_operational-*
  • winlogbeat-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Execution
  • Data Source: Windows Security Event Logs
  • Data Source: Elastic Defend
  • Data Source: Sysmon
  • Data Source: SentinelOne
  • Data Source: Microsoft Defender XDR
  • Data Source: Crowdstrike
  • Resources: Investigation Guide

Version: 4

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Potential Fake CAPTCHA Phishing Attack

Possible investigation steps

  • What does the pasted command do after the CAPTCHA or verification text?
  • Why: lure text is the wrapper; payload behavior separates clickfix execution from testing or inert copy text.
  • Focus: process.name, process.command_line, process.parent.name, and process.parent.command_line for URLs, encoded content, inline script, archive handling, or handoff to "mshta.exe", "cmd.exe", or "powershell.exe".
  • Hint: fake-update or page-fix wording is the same abuse path when the command downloads, decodes, or hands execution to another utility.
  • Implication: escalate when the command downloads content, rebuilds a payload, invokes another script host, or hides work after CAPTCHA wording; lower suspicion only for a bounded authorized simulation or lab command with no second-stage behavior.
  • Is the shell or proxy binary and launch context consistent with paste-and-run clickfix?
  • Focus: process.executable, process.parent.executable, process.parent.command_line, and user.id.
  • Implication: escalate faster when the binary is renamed, user-writable, or launched from an unusual parent context for the user; a native shell path confirms identity but does not clear suspicious command content.
  • Do children from the alerting instance show payload execution or follow-on tooling?
  • Focus: child starts where process.parent.entity_id maps to process.entity_id, reviewing child process.executable and process.command_line. !{investigate{"description":"","label":"Child process starts from the same alerting instance","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
  • Hint: if process.entity_id is absent, recover children with host.id + process.pid in a tight alert-time window and treat the match as weaker.
  • Implication: escalate when the same shell or "mshta.exe" starts installers, script hosts, archive tools, credential tooling, or more shells; no children reduce scope only if command intent and artifact/destination evidence also stay bounded.
  • If file telemetry is available, did the process stage scripts, HTAs, archives, or payloads?
  • Focus: process-scoped file events using host.id + process.entity_id, or host.id + process.pid as fallback, reviewing file.path, file.origin_url, and file.Ext.windows.zone_identifier. !{investigate{"description":"","label":"File activity for the alerting instance","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"file","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
  • Implication: escalate when artifacts land in temp, downloads, desktop, public, startup, or other user-writable paths, carry internet provenance, or later execute; missing file telemetry is unresolved, not benign.
  • If network telemetry is available, did the process retrieve payloads or contact callbacks?
  • Focus: process-scoped network events using host.id + process.entity_id, separating DNS dns.question.name from connection destination.ip / destination.port. !{investigate{"description":"","label":"Network activity for the alerting instance","providers":[[{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"network","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
  • Hint: if process.entity_id is absent, use host.id + process.pid and a tight alert-time window. Missing network telemetry is unresolved, not benign.
  • Implication: escalate when the same process reaches rare public domains, direct IPs, paste/file hosts, or service ports fitting retrieval or callback behavior; lower suspicion only when destinations belong to the same authorized simulation or lab workflow.
  • Do surrounding process events explain the lure path into "explorer.exe"?
  • Focus: same host.id and user.id process timeline, especially browser, chat, mail, archive, or download-manager starts in process.name, process.parent.executable, and process.parent.command_line. !{investigate{"description":"","label":"Process timeline for the host and user","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
  • Implication: escalate when a browser/chat/download chain immediately precedes the paste-run shell or no controlled source explains the lure; lower suspicion when the sequence matches a planned awareness platform or lab harness and the command remains bounded.
  • If local findings stay suspicious or unresolved, do related alerts change scope?
  • Focus: recent alerts for the same host.id, then user.id, emphasizing reuse of the command fragment, shell/proxy binary, recovered artifact, destination, or persistence chain. !{investigate{"description":"","label":"Alerts associated with the host","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
  • Hint: use the user view after the host view, or when a shared host needs actor scoping for the command or lure pattern. !{investigate{"description":"","label":"Alerts associated with the user","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
  • Implication: broaden response when related alerts show the same lure-driven execution pattern on this host or user; quiet alert history does not close the case without a telemetry-backed benign workflow.
  • Escalate on clickfix command intent plus suspicious children, staged artifacts, process-scoped destinations, delivery context, or related alerts; close only when alert-local evidence and recovery bind one authorized simulation or lab workflow with no contradiction; if evidence is mixed or visibility incomplete, preserve evidence and escalate.

False positive analysis

  • Security-awareness, phishing-simulation, red-team, malware-analysis, browser-security, and QA labs can intentionally execute fake CAPTCHA samples. Confirm one exact workflow: stable process.command_line fragment, expected process.executable and process.parent.name, bounded user.id / host.id, and recovered children, artifacts, and destinations that stay inside the exercise or lab set.
  • Without exercise or lab records, close only when telemetry proves the same command fragment, parent context, user.id, host.id, and recovered evidence stayed bounded across prior alerts from this rule. Do not close when child execution, artifact staging, destination activity, or related alerts contradict the expected workflow.
  • Build exceptions only from the minimum confirmed workflow: command fragment, process identity, parent context, user.id, host.id, and any recovered artifact or destination pattern. Avoid exceptions on lure text, "explorer.exe", process.name, or a user alone.

Response and remediation

  • If confirmed benign, reverse temporary containment and record the command, process identity, parent context, user.id, host.id, and recovered supporting evidence that proved the authorized simulation or lab workflow. Create an exception only when that exact workflow recurs.
  • If suspicious but unconfirmed, export the alert, process tree, process.entity_id, process.command_line, child command lines, volatile state, and any recovered artifact paths, domains, IPs, or ports before containment. Apply reversible controls first, such as temporary destination blocks, browser-session reset, heightened monitoring, or endpoint isolation when retrieval, staging, or second-stage execution makes continued connectivity risky.
  • If confirmed malicious, isolate the host when command intent plus child, artifact, or destination evidence establishes compromise. Terminate the malicious shell, "mshta.exe", or follow-on children only after evidence is recorded, then block confirmed domains, IPs, hashes, or URLs and reset credentials only if the investigation shows account misuse.
  • Eradicate only the staged scripts, HTAs, archives, payloads, or persistence artifacts found during the investigation, then remediate the web, chat, mail, or download path that led the user to run the lure.
  • Post-incident hardening: retain process, file, and network telemetry needed for future clickfix triage; review browser protections, clipboard/paste execution controls, and user-awareness coverage; record the confirmed lure wording and paste-run chain in the case notes.

Setup

edit

Setup

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

Additional data sources

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

Rule query

edit
process where host.os.type == "windows" and event.type == "start" and
 process.name : ("powershell.exe", "cmd.exe", "mshta.exe") and process.parent.name : "explorer.exe" and
 process.command_line : ("*recaptcha *", "*CAPTCHA Verif*", "*complete verification*", "*Verification ID*", "*Verification Code*", "*Verification UID*",
                         "*hυmаn vаlіdаtiοn*", "*human ID*", "*Action Identificator*", "*not a robot*", "*Click OK to*", "*anti-robot test*",
                         "*Cloudflare ID*")

Framework: MITRE ATT&CKTM

« Potential External Linux SSH Brute Force Detected Potential File Download via a Headless Browser »