11name : Windows PowerShell FakeCAPTCHA Clipboard Execution
22id : d81d4d3d-76b5-4f21-ab51-b17d5164c106
3- version : 1
3+ version : 2
44date : ' 2025-05-14'
55author : Michael Haag, Splunk
66status : production
@@ -10,20 +10,23 @@ data_source:
1010- Sysmon EventID 1
1111search : ' | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
1212 as lastTime FROM datamodel=Endpoint.Processes where `process_powershell`
13+ AND Processes.process="*-w*h*"
1314 AND (
14- (Processes.process IN ("* -w hidden *", "* -window hidden *", "* -windowstyle hidden *", "*-w h*", "*-wind h*", "*-windowstyle h*") OR Processes.process="*-w h*")
15- AND
16- (
17- (Processes.process IN ("*robot*", "*captcha-iogo*", "*Robot*", "*captcha-logo*", "*Captcha*", "*captcha-container*", "*captcha*", "*captcha-box*", "*CAPTCHA*", "*CaptchaListeners*"))
15+ (Processes.process IN ("*robot*", "*captcha*", "*CAPTCHA*", "*verify*", "*security check*", "*complete verification*"))
1816 OR
1917 (
2018 (Processes.process IN ("*iwr *", "*Invoke-WebRequest*", "*wget *", "*curl *", "*Net.WebClient*", "*DownloadString*", "*[Convert]::FromBase64String*"))
2119 AND
22- (Processes.process IN ("*|iex*", "*|Invoke-Expression*", "* iex *", "* Invoke-Expression *"))
20+ (Processes.process IN ("*iex*", "*Invoke-Expression*"))
21+ AND
22+ (Processes.process IN ("*click*", "*verify*", "*check*", "*human*", "*bot*", "*token*", "*challenge*"))
2323 )
2424 OR
25- (Processes.process="*FromBase64String*" AND Processes.process="*iex*")
26- )
25+ (
26+ Processes.process="*clipboard*"
27+ AND Processes.process="*iex*"
28+ AND (Processes.process="*FromBase64String*" OR Processes.process="*decode*")
29+ )
2730 )
2831 by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
2932 Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
0 commit comments