File Fix Detection
Query
// FileFix - Social Engineering Attack Detection
// https://mrd0x.com/filefix-clickfix-alternative/
let MonitoredCommands = dynamic(["powershell","pwsh","regsvr32","bitsadmin","certutil", "mshta"]);
let BrowserList = dynamic(["chrome","msedge","firefox","brave"]);
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName has_any(MonitoredCommands) and InitiatingProcessFileName has_any(BrowserList)Explanation
This query is designed to detect potential social engineering attacks by monitoring specific command-line activities. Here's a simple breakdown:
-
Monitored Commands: It focuses on certain command-line tools that are often used in attacks, such as "powershell", "pwsh", "regsvr32", "bitsadmin", "certutil", and "mshta".
-
Browser List: It looks for these commands being initiated by web browsers like "chrome", "msedge", "firefox", and "brave".
-
Time Frame: The query examines events that have occurred within the last hour.
-
Data Source: It uses the
DeviceProcessEventstable to find relevant events. -
Filter Criteria: It filters the events to find instances where any of the monitored commands were executed and were initiated by any of the listed browsers.
In summary, this query is searching for instances where potentially suspicious command-line tools are being run as a result of actions taken in a web browser, which could indicate a social engineering attack.
Details

Steven Lim
Released: June 24, 2025
Tables
Keywords
Operators