T1204.004

Malicious Copy and Paste

Adversaries may rely upon a user copying and pasting code to gain execution (ClickFix). Victims are presented with fake error messages, CAPTCHA prompts, or troubleshooting instructions on malicious websites or in phishing emails that instruct them to open a terminal, Windows Run dialog, or command prompt and paste a pre-supplied command. The pasted command typically includes download cradles, encoded payloads, or inline scripts designed to establish a foothold on the victim machine. ClickFix bypasses email filtering, browser sandboxing, and file execution controls because the user themselves executes the payload. Threat actors including Contagious Interview (DPRK-linked), Havoc C2 operators, and Lumma Stealer distribution campaigns have heavily leveraged this technique against enterprise users.

Microsoft Sentinel / Defender

kusto

let SuspiciousInterpreters = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe", "wscript.exe", "cscript.exe"]);
let ClickFixPatterns = dynamic([
    // Download cradles
    "DownloadString", "DownloadFile", "Net.WebClient", "Invoke-WebRequest", "IWR ",
    "curl ", "wget ", "certutil -urlcache", "bitsadmin /transfer",
    // Execution and obfuscation
    "-EncodedCommand", "-enc ", "Invoke-Expression", "IEX(", "IEX ",
    "FromBase64String",
    // Inline execution patterns (mshta/wscript)
    "javascript:", "vbscript:",
    // Direct HTTP payload execution
    "msiexec /i http", "msiexec /i https",
    "regsvr32 /s /n /u /i:http"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // Branch 1: Run Dialog — explorer.exe spawning scripting tools with malicious command patterns
    (InitiatingProcessFileName =~ "explorer.exe"
        and FileName in~ (SuspiciousInterpreters)
        and ProcessCommandLine has_any (ClickFixPatterns))
    // Branch 2: Browser spawning script interpreters with malicious patterns (fake CAPTCHA page)
    or (InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe")
        and FileName in~ (SuspiciousInterpreters)
        and ProcessCommandLine has_any (ClickFixPatterns))
    // Branch 3: mshta/wscript executing inline scripts or fetching remote content from user-context parents
    or (FileName in~ ("mshta.exe", "wscript.exe")
        and ProcessCommandLine has_any ("javascript:", "vbscript:", "http://", "https://")
        and InitiatingProcessFileName in~ ("explorer.exe", "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe"))
)
| extend RunDialogExecution = InitiatingProcessFileName =~ "explorer.exe"
| extend BrowserSpawn = InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe")
| extend InlineScript = ProcessCommandLine has_any ("javascript:", "vbscript:")
| extend DownloadCradle = ProcessCommandLine has_any ("DownloadString", "DownloadFile", "Net.WebClient", "Invoke-WebRequest", "IWR ", "curl ", "certutil -urlcache", "bitsadmin /transfer")
| extend EncodedPayload = ProcessCommandLine has_any ("-EncodedCommand", "-enc ", "FromBase64String")
| extend InvokeExpression = ProcessCommandLine has_any ("IEX(", "IEX ", "Invoke-Expression")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RunDialogExecution, BrowserSpawn, InlineScript, DownloadCradle, EncodedPayload, InvokeExpression
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators opening PowerShell from Run dialog (Win+R → powershell) for legitimate admin tasks — suppress by allowlisting specific known-good command line patterns tied to documented admin workflows
Software installation scripts that launch PowerShell from explorer.exe context during user-initiated installs (e.g., clicking a setup.exe in Explorer that chains to PowerShell)
Browser native messaging hosts spawned by browser extensions for legitimate inter-process communication — these typically lack download cradle patterns but may share the browser-parent signal
Enterprise HTA applications (mshta.exe) that fetch content over HTTP from internal corporate servers — allowlist by internal IP/domain ranges in the ProcessCommandLine filter

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
((ParentImage="*\\explorer.exe" AND (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe" OR Image="*\\mshta.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe"))
OR ((ParentImage="*\\chrome.exe" OR ParentImage="*\\firefox.exe" OR ParentImage="*\\msedge.exe" OR ParentImage="*\\iexplore.exe" OR ParentImage="*\\brave.exe") AND (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe" OR Image="*\\mshta.exe"))
OR ((Image="*\\mshta.exe" OR Image="*\\wscript.exe") AND (CommandLine="*javascript:*" OR CommandLine="*vbscript:*" OR CommandLine="*http://*" OR CommandLine="*https://*")))
| eval CommandLineLower=lower(CommandLine)
| eval RunDialogExecution=if(like(ParentImage, "%\\explorer.exe"), 1, 0)
| eval BrowserSpawn=if(match(ParentImage, "(chrome|firefox|msedge|iexplore|brave)\.exe$"), 1, 0)
| eval DownloadCradle=if(match(CommandLineLower, "(downloadstring|downloadfile|net\.webclient|invoke-webrequest|iwr\s|curl\s|wget\s|certutil.*urlcache|bitsadmin.*transfer)"), 1, 0)
| eval EncodedPayload=if(match(CommandLineLower, "(-encodedcommand|-enc\s|frombase64string)"), 1, 0)
| eval InlineScript=if(match(CommandLineLower, "(javascript:|vbscript:)"), 1, 0)
| eval InvokeExpression=if(match(CommandLineLower, "(invoke-expression|iex\(|iex\s)"), 1, 0)
| eval RemoteExec=if(match(CommandLineLower, "(msiexec.*(https?://)|regsvr32.*/i:https?://)"), 1, 0)
| eval ClickFixScore=RunDialogExecution + BrowserSpawn + DownloadCradle + EncodedPayload + InlineScript + InvokeExpression + RemoteExec
| where DownloadCradle=1 OR EncodedPayload=1 OR InlineScript=1 OR InvokeExpression=1 OR RemoteExec=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, RunDialogExecution, BrowserSpawn, DownloadCradle, EncodedPayload, InlineScript, InvokeExpression, ClickFixScore
| sort - ClickFixScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators opening PowerShell from Run dialog with download-related parameters for legitimate patch management or configuration scripts
Software installers launched from Windows Explorer that chain to PowerShell or cmd with download steps during user-initiated setup
Browser-based terminal emulators or developer tools that spawn cmd.exe/PowerShell as a subprocess for legitimate integrated terminal functionality
Legitimate enterprise HTA applications using mshta.exe to fetch UI content from internal HTTP servers — tune by excluding known-internal IP ranges from the CommandLine match

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  (
    process.parent.name : "explorer.exe" and
    process.name : ("powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe", "wscript.exe", "cscript.exe") and
    process.command_line : (
      "*DownloadString*", "*DownloadFile*", "*Net.WebClient*", "*Invoke-WebRequest*",
      "*IWR *", "*curl *", "*wget *", "*certutil*urlcache*", "*bitsadmin*transfer*",
      "*-EncodedCommand*", "*-enc *", "*Invoke-Expression*", "*IEX(*", "*IEX *",
      "*FromBase64String*", "*javascript:*", "*vbscript:*",
      "*msiexec* http*", "*msiexec* https*", "*regsvr32*/i:http*"
    )
  ) or
  (
    process.parent.name : ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe") and
    process.name : ("powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe") and
    process.command_line : (
      "*DownloadString*", "*DownloadFile*", "*Net.WebClient*", "*Invoke-WebRequest*",
      "*IWR *", "*curl *", "*wget *", "*certutil*urlcache*", "*bitsadmin*transfer*",
      "*-EncodedCommand*", "*-enc *", "*Invoke-Expression*", "*IEX(*", "*IEX *",
      "*FromBase64String*"
    )
  ) or
  (
    process.name : ("mshta.exe", "wscript.exe") and
    process.parent.name : ("explorer.exe", "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe") and
    process.command_line : ("*javascript:*", "*vbscript:*", "*http://*", "*https://*")
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.process) Winlogbeat with Sysmon (winlogbeat-*) Elastic Agent process events

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

IT administrators running PowerShell download cradles via Run dialog for legitimate software deployment or patching tasks (e.g., downloading SCCM client, running PDQ Deploy scripts).
Developers using browser-embedded terminals or cloud shell extensions (e.g., Azure Cloud Shell browser tab) that spawn local PowerShell with encoded commands for scaffolding or build tasks.
Security team members executing encoded or download-based PowerShell during authorized red team exercises, atomic testing (Atomic Red Team), or detection validation against endpoints.
Legitimate software installers that use certutil.exe or bitsadmin.exe to download update packages, particularly common with enterprise software that chains browser download to native installer execution.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS hostname,
  username,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  UTF8(PAYLOAD) AS raw_payload,
  sourceip
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 352)
  AND starttime > DATEADD('hour', -24, NOW())
  AND (
    (
      UTF8(PAYLOAD) ILIKE '%ParentImage%\\explorer.exe%'
      AND (
        UTF8(PAYLOAD) ILIKE '%Image%\\powershell.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\pwsh.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\cmd.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\mshta.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\wscript.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\cscript.exe%'
      )
    )
    OR (
      (
        UTF8(PAYLOAD) ILIKE '%ParentImage%\\chrome.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\firefox.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\msedge.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\iexplore.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\brave.exe%'
      )
      AND (
        UTF8(PAYLOAD) ILIKE '%Image%\\powershell.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\pwsh.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\cmd.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\mshta.exe%'
      )
    )
    OR (
      (
        UTF8(PAYLOAD) ILIKE '%Image%\\mshta.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\wscript.exe%'
      )
      AND (
        UTF8(PAYLOAD) ILIKE '%ParentImage%\\explorer.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\chrome.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\firefox.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\msedge.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\iexplore.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\brave.exe%'
      )
      AND (
        UTF8(PAYLOAD) ILIKE '%javascript:%'
        OR UTF8(PAYLOAD) ILIKE '%vbscript:%'
        OR UTF8(PAYLOAD) ILIKE '%http://%'
        OR UTF8(PAYLOAD) ILIKE '%https://%'
      )
    )
  )
  AND (
    UTF8(PAYLOAD) ILIKE '%DownloadString%'
    OR UTF8(PAYLOAD) ILIKE '%DownloadFile%'
    OR UTF8(PAYLOAD) ILIKE '%Net.WebClient%'
    OR UTF8(PAYLOAD) ILIKE '%Invoke-WebRequest%'
    OR UTF8(PAYLOAD) ILIKE '%certutil%urlcache%'
    OR UTF8(PAYLOAD) ILIKE '%bitsadmin%transfer%'
    OR UTF8(PAYLOAD) ILIKE '%-EncodedCommand%'
    OR UTF8(PAYLOAD) ILIKE '%FromBase64String%'
    OR UTF8(PAYLOAD) ILIKE '%Invoke-Expression%'
    OR UTF8(PAYLOAD) ILIKE '%IEX(%'
    OR UTF8(PAYLOAD) ILIKE '%javascript:%'
    OR UTF8(PAYLOAD) ILIKE '%vbscript:%'
    OR UTF8(PAYLOAD) ILIKE '%msiexec%http%'
    OR UTF8(PAYLOAD) ILIKE '%regsvr32%/i:http%'
  )
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar SIEM with Microsoft Windows log source (Sysmon Event ID 1 via WEF or direct agent) QRadar WinCollect agent collecting Microsoft-Windows-Sysmon/Operational channel

Required Tables

events

False Positives

Enterprise endpoint management tools (SCCM, Intune, Ansible) that invoke PowerShell with download cradles or encoded commands via system-level parent processes that inherit explorer.exe context during user-interactive sessions.
Developers running legitimate base64-encoded or download-based PowerShell scripts from browser-integrated development environments or web-based dashboards (e.g., Jenkins build agents, GitLab CI runner UI).
Security operations personnel executing Atomic Red Team, MITRE Caldera, or manual adversary simulation tests against endpoints during authorized purple team exercises.
Help desk or remote support tools (e.g., ConnectWise, TeamViewer) that spawn scripting interpreters under the user session parent hierarchy to execute diagnostic or remediation scripts.

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where _raw matches /EventCode=1|EventID.*=.*1|event_simpleName.*ProcessRollup/
| parse regex field=_raw "(?:ParentImage|ParentProcessName)[\":\s=]+(?P<parent_image>[^\"\s<>\n]+)" nodrop
| parse regex field=_raw "(?:^|[\s,\"])(?:Image|ProcessName|process_name)[\":\s=]+(?P<process_image>[^\"\s<>\n]+)" nodrop
| parse regex field=_raw "(?:CommandLine|ProcessCommandLine|command_line)[\":\s=]+(?P<cmdline>[^\n<]{1,2048})" nodrop
| parse regex field=_raw "(?:User|username)[\":\s=]+(?P<username>[^\"\s<>\n]+)" nodrop
| where (
    (
      parent_image matches /(?i)(\\|\/)explorer\.exe(\"|$|\s)/
      AND process_image matches /(?i)(\\|\/)?(powershell|pwsh|cmd|mshta|wscript|cscript)\.exe(\"|$|\s)/
    )
    OR (
      parent_image matches /(?i)(\\|\/)(chrome|firefox|msedge|iexplore|brave)\.exe(\"|$|\s)/
      AND process_image matches /(?i)(\\|\/)?(powershell|pwsh|cmd|mshta)\.exe(\"|$|\s)/
    )
    OR (
      process_image matches /(?i)(\\|\/)?(mshta|wscript)\.exe(\"|$|\s)/
      AND parent_image matches /(?i)(\\|\/)(explorer|chrome|firefox|msedge|iexplore|brave)\.exe(\"|$|\s)/
    )
  )
| where cmdline matches /(?i)(DownloadString|DownloadFile|Net\.WebClient|Invoke-WebRequest|\bIWR\s|\bcurl\s|\bwget\s|certutil.*urlcache|bitsadmin.*transfer|-EncodedCommand|-enc\s|FromBase64String|Invoke-Expression|IEX[(\s]|javascript:|vbscript:|msiexec.*https?:\/\/|regsvr32.*\/i:https?:\/\/)/
| eval RunDialogExecution = if (parent_image matches /(?i)explorer\.exe/, "true", "false")
| eval BrowserSpawn = if (parent_image matches /(?i)(chrome|firefox|msedge|iexplore|brave)\.exe/, "true", "false")
| eval DownloadCradle = if (cmdline matches /(?i)(DownloadString|DownloadFile|Net\.WebClient|Invoke-WebRequest|certutil.*urlcache|bitsadmin.*transfer|\bcurl\s|\bwget\s)/, "true", "false")
| eval EncodedPayload = if (cmdline matches /(?i)(-EncodedCommand|-enc\s|FromBase64String)/, "true", "false")
| eval InlineScript = if (cmdline matches /(?i)(javascript:|vbscript:)/, "true", "false")
| eval InvokeExpression = if (cmdline matches /(?i)(Invoke-Expression|IEX[(\s])/, "true", "false")
| eval RemoteExec = if (cmdline matches /(?i)(msiexec.*https?:\/\/|regsvr32.*\/i:https?:\/\/)/, "true", "false")
| eval ClickFixScore = (if(RunDialogExecution=="true",1,0)) + (if(BrowserSpawn=="true",1,0)) + (if(DownloadCradle=="true",1,0)) + (if(EncodedPayload=="true",1,0)) + (if(InlineScript=="true",1,0)) + (if(InvokeExpression=="true",1,0)) + (if(RemoteExec=="true",1,0))
| fields _messagetime, _sourceHost, username, parent_image, process_image, cmdline, RunDialogExecution, BrowserSpawn, DownloadCradle, EncodedPayload, InlineScript, InvokeExpression, RemoteExec, ClickFixScore
| sort by ClickFixScore desc, _messagetime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Source collecting Microsoft-Windows-Sysmon/Operational Sumo Logic Cloud-to-Cloud Source ingesting Windows endpoints via Sysmon + WEF

Required Tables

Windows Sysmon Event ID 1 (Process Create) logs via Sumo Logic Installed Collector

False Positives

IT automation workflows where SCCM task sequences or Group Policy scripts trigger PowerShell download cradles through user-context processes, particularly during OS provisioning or patch deployment windows.
Developer workstations where browser-based IDEs (e.g., GitHub Codespaces local companion, VS Code Live Share browser component) spawn local PowerShell with encoded parameters for workspace synchronization.
Security testing using Atomic Red Team T1204.004 tests or manual simulation as part of scheduled red team exercises — these will match all behavioral indicators and receive maximum ClickFixScore.
Help desk macros or IT runbook tools that construct encoded PowerShell commands programmatically and execute them in the user session context, generating high scores without malicious intent.

Google Chronicle / SecOps

yaral

rule t1204_004_clickfix_malicious_copypaste {
  meta:
    author = "df00tech"
    description = "Detects ClickFix / Malicious Copy-Paste (T1204.004): scripting interpreters spawned from the Windows Run dialog or browsers with download cradles, encoded payloads, or inline script execution patterns"
    mitre_attack_technique = "T1204.004"
    mitre_attack_tactic = "Execution"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1204/004/"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.1"
    created = "2026-04-19"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      // Branch 1: Run dialog (explorer.exe) spawning scripting tools with malicious cmdline
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\explorer\.exe$`) and
        re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh|cmd|mshta|wscript|cscript)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(DownloadString|DownloadFile|Net\.WebClient|Invoke-WebRequest|\bIWR\s|\bcurl\s|\bwget\s|certutil.*urlcache|bitsadmin.*transfer|-EncodedCommand|-enc\s|FromBase64String|Invoke-Expression|IEX[\(\s]|javascript:|vbscript:|msiexec.*https?:|regsvr32.*/i:https?:)`)
      ) or
      // Branch 2: Browser spawning scripting tools with malicious cmdline (fake CAPTCHA lure)
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\(chrome|firefox|msedge|iexplore|brave)\.exe$`) and
        re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh|cmd|mshta)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(DownloadString|DownloadFile|Net\.WebClient|Invoke-WebRequest|\bIWR\s|\bcurl\s|\bwget\s|certutil.*urlcache|bitsadmin.*transfer|-EncodedCommand|-enc\s|FromBase64String|Invoke-Expression|IEX[\(\s])`)
      ) or
      // Branch 3: mshta/wscript with inline scripts or remote URLs from user-context parents
      (
        re.regex($e.target.process.file.full_path, `(?i)\\(mshta|wscript)\.exe$`) and
        re.regex($e.principal.process.file.full_path, `(?i)\\(explorer|chrome|firefox|msedge|iexplore|brave)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(javascript:|vbscript:|https?://)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle with Windows endpoint telemetry via Chronicle Forwarder or Google Security Operations SIEM Sysmon logs normalized to UDM via Chronicle ingestion parser (microsoft_windows_sysmon) Microsoft Defender for Endpoint events forwarded to Chronicle via connector

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH principal.process.file.full_path (parent process path) target.process.file.full_path (spawned process path) target.process.command_line (full command line of spawned process)

False Positives

Software deployment tools that run as SYSTEM but spawn processes in user context where the process lineage appears as explorer.exe → PowerShell with download arguments (common with Microsoft Intune Win32 app deployments wrapping scripts).
Browser extensions with native messaging hosts that invoke local PowerShell or script interpreters — the browser is the parent process and the extension may pass configuration data as base64-encoded arguments.
Legitimate mshta.exe use for HTML Application (.hta) files distributed via intranet portals, where the file reference is served over HTTPS from internal corporate infrastructure.
Automated testing pipelines (Selenium, Playwright test harnesses) that drive browser instances which in turn spawn local helper scripts as part of end-to-end UI test automation.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(explorer\.exe|chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|brave\.exe)$/i
| ImageFileName = /\\(powershell\.exe|pwsh\.exe|cmd\.exe|mshta\.exe|wscript\.exe|cscript\.exe)$/i
| CommandLine = /(?i)(DownloadString|DownloadFile|Net\.WebClient|Invoke-WebRequest|\bIWR\s|\bcurl\s|\bwget\s|certutil.*urlcache|bitsadmin.*transfer|-EncodedCommand|-enc\s|FromBase64String|Invoke-Expression|IEX[\(\s]|javascript:|vbscript:|msiexec.*https?:|regsvr32.*\/i:https?:)/
| RunDialogExecution := case {
    ParentBaseFileName = /(?i)^explorer\.exe$/, "true";
    default, "false"
  }
| BrowserSpawn := case {
    ParentBaseFileName = /(?i)(chrome|firefox|msedge|iexplore|brave)\.exe/, "true";
    default, "false"
  }
| DownloadCradle := case {
    CommandLine = /(?i)(DownloadString|DownloadFile|Net\.WebClient|Invoke-WebRequest|certutil.*urlcache|bitsadmin.*transfer|\bcurl\s|\bwget\s)/, "true";
    default, "false"
  }
| EncodedPayload := case {
    CommandLine = /(?i)(-EncodedCommand|-enc\s|FromBase64String)/, "true";
    default, "false"
  }
| InlineScript := case {
    CommandLine = /(?i)(javascript:|vbscript:)/, "true";
    default, "false"
  }
| InvokeExpression := case {
    CommandLine = /(?i)(Invoke-Expression|IEX[\(\s])/, "true";
    default, "false"
  }
| RemoteExec := case {
    CommandLine = /(?i)(msiexec.*https?:\/\/|regsvr32.*\/i:https?:\/\/)/, "true";
    default, "false"
  }
| ClickFixScore := (if(RunDialogExecution=="true", 1, 0)) + (if(BrowserSpawn=="true", 1, 0)) + (if(DownloadCradle=="true", 1, 0)) + (if(EncodedPayload=="true", 1, 0)) + (if(InlineScript=="true", 1, 0)) + (if(InvokeExpression=="true", 1, 0)) + (if(RemoteExec=="true", 1, 0))
| select([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, RunDialogExecution, BrowserSpawn, DownloadCradle, EncodedPayload, InlineScript, InvokeExpression, RemoteExec, ClickFixScore])
| sort(field=[ClickFixScore, _time], order=[desc, desc])

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection with Process execution telemetry enabled Falcon Data Replicator (FDR) or Falcon LogScale (Humio) SIEM connector ingesting ProcessRollup2 events

Required Tables

ProcessRollup2 events (#event_simpleName=ProcessRollup2) Fields: ParentBaseFileName, ImageFileName, CommandLine, ParentCommandLine, ComputerName, UserName

False Positives

CrowdStrike Falcon sensor updates or CrowdStrike-initiated remediation actions that spawn PowerShell with download parameters under the Falcon agent context, which may surface explorer.exe as the effective parent in certain Windows process inheritance scenarios.
Enterprise software vendors (e.g., Citrix Workspace, VMware Horizon) whose browser integration components spawn local PowerShell or script helpers from the browser parent process with connection configuration passed as encoded arguments.
Legitimate software packaging workflows using tools like Chocolatey or Scoop where a developer pastes installation one-liners (e.g., Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString(...))) from vendor documentation into Run or a terminal.
Security awareness training platforms that simulate ClickFix lure pages in controlled environments to test user susceptibility — these produce real execution events matching all ClickFix indicators.

Last updated: 2026-04-19 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1204.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.001Malicious Link T1204.002Malicious File T1204.003Malicious Image T1204.005Malicious Library

Malicious Copy and Paste

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections