Detect Malicious Copy and Paste in Google Chronicle
Adversaries may rely upon a user copying and pasting code to gain execution (ClickFix). Victims are presented with fake error messages, CAPTCHA prompts, or troubleshooting instructions on malicious websites or in phishing emails that instruct them to open a terminal, Windows Run dialog, or command prompt and paste a pre-supplied command. The pasted command typically includes download cradles, encoded payloads, or inline scripts designed to establish a foothold on the victim machine. ClickFix bypasses email filtering, browser sandboxing, and file execution controls because the user themselves executes the payload. Threat actors including Contagious Interview (DPRK-linked), Havoc C2 operators, and Lumma Stealer distribution campaigns have heavily leveraged this technique against enterprise users.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.004 Malicious Copy and Paste
- Canonical reference
- https://attack.mitre.org/techniques/T1204/004/
YARA-L Detection Query
rule t1204_004_clickfix_malicious_copypaste {
meta:
author = "df00tech"
description = "Detects ClickFix / Malicious Copy-Paste (T1204.004): scripting interpreters spawned from the Windows Run dialog or browsers with download cradles, encoded payloads, or inline script execution patterns"
mitre_attack_technique = "T1204.004"
mitre_attack_tactic = "Execution"
mitre_attack_url = "https://attack.mitre.org/techniques/T1204/004/"
severity = "HIGH"
confidence = "HIGH"
version = "1.1"
created = "2026-04-19"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
// Branch 1: Run dialog (explorer.exe) spawning scripting tools with malicious cmdline
(
re.regex($e.principal.process.file.full_path, `(?i)\\explorer\.exe$`) and
re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh|cmd|mshta|wscript|cscript)\.exe$`) and
re.regex($e.target.process.command_line, `(?i)(DownloadString|DownloadFile|Net\.WebClient|Invoke-WebRequest|\bIWR\s|\bcurl\s|\bwget\s|certutil.*urlcache|bitsadmin.*transfer|-EncodedCommand|-enc\s|FromBase64String|Invoke-Expression|IEX[\(\s]|javascript:|vbscript:|msiexec.*https?:|regsvr32.*/i:https?:)`)
) or
// Branch 2: Browser spawning scripting tools with malicious cmdline (fake CAPTCHA lure)
(
re.regex($e.principal.process.file.full_path, `(?i)\\(chrome|firefox|msedge|iexplore|brave)\.exe$`) and
re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh|cmd|mshta)\.exe$`) and
re.regex($e.target.process.command_line, `(?i)(DownloadString|DownloadFile|Net\.WebClient|Invoke-WebRequest|\bIWR\s|\bcurl\s|\bwget\s|certutil.*urlcache|bitsadmin.*transfer|-EncodedCommand|-enc\s|FromBase64String|Invoke-Expression|IEX[\(\s])`)
) or
// Branch 3: mshta/wscript with inline scripts or remote URLs from user-context parents
(
re.regex($e.target.process.file.full_path, `(?i)\\(mshta|wscript)\.exe$`) and
re.regex($e.principal.process.file.full_path, `(?i)\\(explorer|chrome|firefox|msedge|iexplore|brave)\.exe$`) and
re.regex($e.target.process.command_line, `(?i)(javascript:|vbscript:|https?://)`)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting ClickFix / Malicious Copy-Paste (T1204.004) via PROCESS_LAUNCH UDM events. Three branches: (1) Windows Run dialog (explorer.exe) spawning scripting interpreters with download cradles or encoded execution; (2) browsers spawning scripting interpreters with the same malicious command patterns indicating fake CAPTCHA or error page lures; (3) mshta.exe or wscript.exe launched from user-context parents with inline javascript:/vbscript: handlers or remote HTTP URLs. Matches Contagious Interview, Havoc C2, and Lumma Stealer distribution TTPs.
Data Sources
Required Tables
False Positives & Tuning
- Software deployment tools that run as SYSTEM but spawn processes in user context where the process lineage appears as explorer.exe → PowerShell with download arguments (common with Microsoft Intune Win32 app deployments wrapping scripts).
- Browser extensions with native messaging hosts that invoke local PowerShell or script interpreters — the browser is the parent process and the extension may pass configuration data as base64-encoded arguments.
- Legitimate mshta.exe use for HTML Application (.hta) files distributed via intranet portals, where the file reference is served over HTTPS from internal corporate infrastructure.
- Automated testing pipelines (Selenium, Playwright test harnesses) that drive browser instances which in turn spawn local helper scripts as part of end-to-end UI test automation.
Other platforms for T1204.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ClickFix Run Dialog PowerShell Download Cradle Simulation
Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing 'Net.WebClient', 'DownloadString', and 'IEX'. If executed via Win+R: ParentImage=explorer.exe, Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU containing the pasted command. Sysmon Event ID 3 (Network Connection) attempt to 127.0.0.1:8080 (connection refused, but event fires). PowerShell ScriptBlock Log Event ID 4104 with script content.
- Test 2ClickFix mshta Inline JavaScript Execution
Expected signal: Sysmon Event ID 1: Image=mshta.exe, CommandLine containing 'javascript:' and 'ActiveXObject' and 'WScript.Shell'. Sysmon Event ID 1 child: cmd.exe spawned by mshta.exe with CommandLine 'cmd.exe /c echo ClickFix-AtomicTest > ...'. Sysmon Event ID 11 (File Create): %TEMP%\clickfix_test.txt. If via Win+R: Sysmon Event ID 13 (Registry Value Set) on RunMRU key.
- Test 3ClickFix Base64-Encoded PowerShell via Run Dialog
Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing '-EncodedCommand dwBoAG8AYQBtAGkA'. If executed via Win+R: ParentImage=explorer.exe; Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU with the encoded command string. PowerShell ScriptBlock Log Event ID 4104 shows decoded content 'whoami'. The encoded value 'dwBoAG8AYQBtAGkA' decodes from UTF-16LE Base64 to 'whoami'.
- Test 4ClickFix msiexec Remote Package Execution
Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'msiexec /i https://'. Sysmon Event ID 1 child: msiexec.exe with CommandLine containing 'https://127.0.0.1:8443/clickfix-payload.msi' and '/qn'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8443 (will fail, no listener). If run via Win+R: Sysmon Event ID 13 on RunMRU key.
References (8)
- https://attack.mitre.org/techniques/T1204/004/
- https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
- https://www.reliaquest.com/blog/using-captcha-for-compromise/
- https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages
- https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/
- https://asec.ahnlab.com/en/73952/
- https://asec.ahnlab.com/en/85699/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.004/T1204.004.md
Unlock Pro Content
Get the full detection package for T1204.004 including response playbook, investigation guide, and atomic red team tests.