Query Details

Malicious PowerShell Executions From Clipboard Copy-and-Paste

Power Shell Executions From Clipboard

Query

let clipboardEvents = 
    DeviceEvents
    | where ActionType contains "GetClipboardData" 
    and InitiatingProcessFileName contains "explorer.exe";
let powershellEvents = 
    DeviceProcessEvents
    | where (FileName contains "powershell.exe" and (ProcessCommandLine contains "hidden") and ProcessCommandLine contains "http" and ProcessCommandLine !contains "http://localhost") or (FileName contains "mshta.exe" and ProcessCommandLine contains "http" and ProcessCommandLine !contains "http://localhost");
clipboardEvents
| join kind=inner (powershellEvents) on DeviceName
| where abs(datetime_diff('minute', TimeGenerated, TimeGenerated1)) <= 1
| summarize by DeviceName

About this query

Explanation

This query is designed to detect potential malicious activity involving PowerShell scripts that are executed as a result of a social engineering attack using fake CAPTCHA or bot verification techniques. Here's a simple breakdown of what the query does:

  1. Objective: The query aims to identify instances where a user is tricked into copying and pasting a malicious PowerShell command from a website, which then executes on their device.

  2. Technique: The attack leverages a fake CAPTCHA or bot verification prompt to deceive users into executing a harmful script.

  3. Detection Method:

    • The query looks for two types of events:
      • Clipboard Access: It checks for events where clipboard data is accessed by the "explorer.exe" process. This indicates that something was copied to the clipboard.
      • PowerShell Execution: It searches for PowerShell or mshta.exe processes that run commands containing "http" (indicating a web request) but not "http://localhost" (to exclude local testing), and where the command is hidden.
    • It then correlates these events by matching them on the same device and ensuring they occur within one minute of each other.
  4. Output: The query lists devices where both clipboard access and suspicious PowerShell execution occur in close succession, suggesting a possible malicious activity.

  5. Purpose: This helps security teams identify and respond to potential threats where users are tricked into executing harmful scripts, thereby enhancing the organization's cybersecurity posture.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 22, 2025

Tables

DeviceEventsDeviceProcessEvents

Keywords

Devices

Operators

letcontainsandor!containsjoinonwhereabsdatetime_diff<=summarizeby

MITRE Techniques

Actions

GitHub