From 8d18ec7df0f65014014380c34d9e42961d20cf34 Mon Sep 17 00:00:00 2001
From: Alfie Champion <62765165+ajpc500@users.noreply.github.com>
Date: Tue, 1 Jul 2025 09:21:27 +0100
Subject: [PATCH] Merge PR #5503 from @ajpc500 - include cmd.exe child process

update: FileFix - Suspicious Child Process from Browser File Upload Abuse - add cmd.exe child process
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 .../proc_creation_win_filefix_browsers.yml         | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_filefix_browsers.yml b/rules/windows/process_creation/proc_creation_win_filefix_browsers.yml
index a88bb2f44..d4cfcf1c4 100644
--- a/rules/windows/process_creation/proc_creation_win_filefix_browsers.yml
+++ b/rules/windows/process_creation/proc_creation_win_filefix_browsers.yml
@@ -9,6 +9,7 @@ references:
     - https://mrd0x.com/filefix-clickfix-alternative/
 author: 0xFustang
 date: 2025-06-26
+modified: 2025-06-30
 tags:
     - attack.execution
     - attack.t1204.004
@@ -18,17 +19,18 @@ logsource:
 detection:
     selection:
         ParentImage|endswith:
-            - '\chrome.exe'
-            - '\msedge.exe'
-            - '\firefox.exe'
             - '\brave.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
+            - '\msedge.exe'
         Image|endswith:
+            - '\bitsadmin.exe'
+            - '\certutil.exe'
+            - '\cmd.exe'
+            - '\mshta.exe'
             - '\powershell.exe'
             - '\pwsh.exe'
             - '\regsvr32.exe'
-            - '\bitsadmin.exe'
-            - '\certutil.exe'
-            - '\mshta.exe'
         CommandLine|contains: '#'
     condition: selection
 falsepositives: