T1204.004 Elastic Security · Elastic

Detect Malicious Copy and Paste in Elastic Security

Adversaries may rely upon a user copying and pasting code to gain execution (ClickFix). Victims are presented with fake error messages, CAPTCHA prompts, or troubleshooting instructions on malicious websites or in phishing emails that instruct them to open a terminal, Windows Run dialog, or command prompt and paste a pre-supplied command. The pasted command typically includes download cradles, encoded payloads, or inline scripts designed to establish a foothold on the victim machine. ClickFix bypasses email filtering, browser sandboxing, and file execution controls because the user themselves executes the payload. Threat actors including Contagious Interview (DPRK-linked), Havoc C2 operators, and Lumma Stealer distribution campaigns have heavily leveraged this technique against enterprise users.

MITRE ATT&CK

Tactic
Execution
Technique
T1204 User Execution
Sub-technique
T1204.004 Malicious Copy and Paste
Canonical reference
https://attack.mitre.org/techniques/T1204/004/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and
(
  (
    process.parent.name : "explorer.exe" and
    process.name : ("powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe", "wscript.exe", "cscript.exe") and
    process.command_line : (
      "*DownloadString*", "*DownloadFile*", "*Net.WebClient*", "*Invoke-WebRequest*",
      "*IWR *", "*curl *", "*wget *", "*certutil*urlcache*", "*bitsadmin*transfer*",
      "*-EncodedCommand*", "*-enc *", "*Invoke-Expression*", "*IEX(*", "*IEX *",
      "*FromBase64String*", "*javascript:*", "*vbscript:*",
      "*msiexec* http*", "*msiexec* https*", "*regsvr32*/i:http*"
    )
  ) or
  (
    process.parent.name : ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe") and
    process.name : ("powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe") and
    process.command_line : (
      "*DownloadString*", "*DownloadFile*", "*Net.WebClient*", "*Invoke-WebRequest*",
      "*IWR *", "*curl *", "*wget *", "*certutil*urlcache*", "*bitsadmin*transfer*",
      "*-EncodedCommand*", "*-enc *", "*Invoke-Expression*", "*IEX(*", "*IEX *",
      "*FromBase64String*"
    )
  ) or
  (
    process.name : ("mshta.exe", "wscript.exe") and
    process.parent.name : ("explorer.exe", "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe") and
    process.command_line : ("*javascript:*", "*vbscript:*", "*http://*", "*https://*")
  )
)
high severity high confidence

Detects ClickFix / Malicious Copy-Paste (T1204.004) execution patterns where adversaries instruct victims to paste commands into the Windows Run dialog or a terminal. Three branches cover: (1) explorer.exe (Run dialog) spawning scripting interpreters with download cradles, encoded payloads, or inline execution patterns; (2) browsers spawning scripting tools with the same malicious command patterns, indicating fake CAPTCHA or error page lures; (3) mshta.exe or wscript.exe launched from user-context parents with inline javascript:/vbscript: handlers or remote HTTP references.

Data Sources

Elastic Endpoint Security (endpoint.events.process)Winlogbeat with Sysmon (winlogbeat-*)Elastic Agent process events

Required Tables

logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

  • IT administrators running PowerShell download cradles via Run dialog for legitimate software deployment or patching tasks (e.g., downloading SCCM client, running PDQ Deploy scripts).
  • Developers using browser-embedded terminals or cloud shell extensions (e.g., Azure Cloud Shell browser tab) that spawn local PowerShell with encoded commands for scaffolding or build tasks.
  • Security team members executing encoded or download-based PowerShell during authorized red team exercises, atomic testing (Atomic Red Team), or detection validation against endpoints.
  • Legitimate software installers that use certutil.exe or bitsadmin.exe to download update packages, particularly common with enterprise software that chains browser download to native installer execution.
Download portable Sigma rule (.yml)

Other platforms for T1204.004

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ClickFix Run Dialog PowerShell Download Cradle Simulation

    Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing 'Net.WebClient', 'DownloadString', and 'IEX'. If executed via Win+R: ParentImage=explorer.exe, Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU containing the pasted command. Sysmon Event ID 3 (Network Connection) attempt to 127.0.0.1:8080 (connection refused, but event fires). PowerShell ScriptBlock Log Event ID 4104 with script content.

  2. Test 2ClickFix mshta Inline JavaScript Execution

    Expected signal: Sysmon Event ID 1: Image=mshta.exe, CommandLine containing 'javascript:' and 'ActiveXObject' and 'WScript.Shell'. Sysmon Event ID 1 child: cmd.exe spawned by mshta.exe with CommandLine 'cmd.exe /c echo ClickFix-AtomicTest > ...'. Sysmon Event ID 11 (File Create): %TEMP%\clickfix_test.txt. If via Win+R: Sysmon Event ID 13 (Registry Value Set) on RunMRU key.

  3. Test 3ClickFix Base64-Encoded PowerShell via Run Dialog

    Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing '-EncodedCommand dwBoAG8AYQBtAGkA'. If executed via Win+R: ParentImage=explorer.exe; Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU with the encoded command string. PowerShell ScriptBlock Log Event ID 4104 shows decoded content 'whoami'. The encoded value 'dwBoAG8AYQBtAGkA' decodes from UTF-16LE Base64 to 'whoami'.

  4. Test 4ClickFix msiexec Remote Package Execution

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'msiexec /i https://'. Sysmon Event ID 1 child: msiexec.exe with CommandLine containing 'https://127.0.0.1:8443/clickfix-payload.msi' and '/qn'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8443 (will fail, no listener). If run via Win+R: Sysmon Event ID 13 on RunMRU key.

Last updated: 2026-04-19 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1204.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.001Malicious LinkT1204.002Malicious FileT1204.003Malicious ImageT1204.005Malicious Library

Related Techniques

T1204User ExecutionT1204.002Malicious FileT1189Drive-by CompromiseT1566.002Spearphishing LinkT1059.001PowerShellT1059.003Windows Command ShellT1218.005MshtaT1105Ingress Tool TransferT1552.001Credentials In FilesT1027Obfuscated Files or InformationT1218.010Regsvr32

Same Tactic: Execution

Popular Detections