Detect Malicious Copy and Paste in Microsoft Sentinel
Adversaries may rely upon a user copying and pasting code to gain execution (ClickFix). Victims are presented with fake error messages, CAPTCHA prompts, or troubleshooting instructions on malicious websites or in phishing emails that instruct them to open a terminal, Windows Run dialog, or command prompt and paste a pre-supplied command. The pasted command typically includes download cradles, encoded payloads, or inline scripts designed to establish a foothold on the victim machine. ClickFix bypasses email filtering, browser sandboxing, and file execution controls because the user themselves executes the payload. Threat actors including Contagious Interview (DPRK-linked), Havoc C2 operators, and Lumma Stealer distribution campaigns have heavily leveraged this technique against enterprise users.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.004 Malicious Copy and Paste
- Canonical reference
- https://attack.mitre.org/techniques/T1204/004/
KQL Detection Query
let SuspiciousInterpreters = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe", "wscript.exe", "cscript.exe"]);
let ClickFixPatterns = dynamic([
// Download cradles
"DownloadString", "DownloadFile", "Net.WebClient", "Invoke-WebRequest", "IWR ",
"curl ", "wget ", "certutil -urlcache", "bitsadmin /transfer",
// Execution and obfuscation
"-EncodedCommand", "-enc ", "Invoke-Expression", "IEX(", "IEX ",
"FromBase64String",
// Inline execution patterns (mshta/wscript)
"javascript:", "vbscript:",
// Direct HTTP payload execution
"msiexec /i http", "msiexec /i https",
"regsvr32 /s /n /u /i:http"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
// Branch 1: Run Dialog — explorer.exe spawning scripting tools with malicious command patterns
(InitiatingProcessFileName =~ "explorer.exe"
and FileName in~ (SuspiciousInterpreters)
and ProcessCommandLine has_any (ClickFixPatterns))
// Branch 2: Browser spawning script interpreters with malicious patterns (fake CAPTCHA page)
or (InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe")
and FileName in~ (SuspiciousInterpreters)
and ProcessCommandLine has_any (ClickFixPatterns))
// Branch 3: mshta/wscript executing inline scripts or fetching remote content from user-context parents
or (FileName in~ ("mshta.exe", "wscript.exe")
and ProcessCommandLine has_any ("javascript:", "vbscript:", "http://", "https://")
and InitiatingProcessFileName in~ ("explorer.exe", "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe"))
)
| extend RunDialogExecution = InitiatingProcessFileName =~ "explorer.exe"
| extend BrowserSpawn = InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe")
| extend InlineScript = ProcessCommandLine has_any ("javascript:", "vbscript:")
| extend DownloadCradle = ProcessCommandLine has_any ("DownloadString", "DownloadFile", "Net.WebClient", "Invoke-WebRequest", "IWR ", "curl ", "certutil -urlcache", "bitsadmin /transfer")
| extend EncodedPayload = ProcessCommandLine has_any ("-EncodedCommand", "-enc ", "FromBase64String")
| extend InvokeExpression = ProcessCommandLine has_any ("IEX(", "IEX ", "Invoke-Expression")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
RunDialogExecution, BrowserSpawn, InlineScript, DownloadCradle, EncodedPayload, InvokeExpression
| sort by Timestamp descDetects ClickFix-style malicious copy-and-paste execution using Microsoft Defender for Endpoint DeviceProcessEvents. Three detection branches: (1) explorer.exe spawning scripting interpreters with download cradles or encoded payloads — the strongest indicator of Run Dialog clipboard paste execution; (2) browser processes spawning scripting tools with malicious patterns, capturing fake CAPTCHA page variants; (3) mshta.exe or wscript.exe executing inline JavaScript/VBScript or fetching remote URLs when spawned by user-context processes. Boolean flags on each event allow downstream correlation and severity scoring.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators opening PowerShell from Run dialog (Win+R → powershell) for legitimate admin tasks — suppress by allowlisting specific known-good command line patterns tied to documented admin workflows
- Software installation scripts that launch PowerShell from explorer.exe context during user-initiated installs (e.g., clicking a setup.exe in Explorer that chains to PowerShell)
- Browser native messaging hosts spawned by browser extensions for legitimate inter-process communication — these typically lack download cradle patterns but may share the browser-parent signal
- Enterprise HTA applications (mshta.exe) that fetch content over HTTP from internal corporate servers — allowlist by internal IP/domain ranges in the ProcessCommandLine filter
Other platforms for T1204.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ClickFix Run Dialog PowerShell Download Cradle Simulation
Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing 'Net.WebClient', 'DownloadString', and 'IEX'. If executed via Win+R: ParentImage=explorer.exe, Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU containing the pasted command. Sysmon Event ID 3 (Network Connection) attempt to 127.0.0.1:8080 (connection refused, but event fires). PowerShell ScriptBlock Log Event ID 4104 with script content.
- Test 2ClickFix mshta Inline JavaScript Execution
Expected signal: Sysmon Event ID 1: Image=mshta.exe, CommandLine containing 'javascript:' and 'ActiveXObject' and 'WScript.Shell'. Sysmon Event ID 1 child: cmd.exe spawned by mshta.exe with CommandLine 'cmd.exe /c echo ClickFix-AtomicTest > ...'. Sysmon Event ID 11 (File Create): %TEMP%\clickfix_test.txt. If via Win+R: Sysmon Event ID 13 (Registry Value Set) on RunMRU key.
- Test 3ClickFix Base64-Encoded PowerShell via Run Dialog
Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing '-EncodedCommand dwBoAG8AYQBtAGkA'. If executed via Win+R: ParentImage=explorer.exe; Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU with the encoded command string. PowerShell ScriptBlock Log Event ID 4104 shows decoded content 'whoami'. The encoded value 'dwBoAG8AYQBtAGkA' decodes from UTF-16LE Base64 to 'whoami'.
- Test 4ClickFix msiexec Remote Package Execution
Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'msiexec /i https://'. Sysmon Event ID 1 child: msiexec.exe with CommandLine containing 'https://127.0.0.1:8443/clickfix-payload.msi' and '/qn'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8443 (will fail, no listener). If run via Win+R: Sysmon Event ID 13 on RunMRU key.
References (8)
- https://attack.mitre.org/techniques/T1204/004/
- https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
- https://www.reliaquest.com/blog/using-captcha-for-compromise/
- https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages
- https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/
- https://asec.ahnlab.com/en/73952/
- https://asec.ahnlab.com/en/85699/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.004/T1204.004.md
Unlock Pro Content
Get the full detection package for T1204.004 including response playbook, investigation guide, and atomic red team tests.