Malicious PowerShell Executions From Clipboard Copy-and-Paste
Power Shell Executions From Clipboard
Query
let clipboardEvents =
DeviceEvents
| where ActionType contains "GetClipboardData"
and InitiatingProcessFileName contains "explorer.exe";
let powershellEvents =
DeviceProcessEvents
| where (FileName contains "powershell.exe" and (ProcessCommandLine contains "hidden") and ProcessCommandLine contains "http" and ProcessCommandLine !contains "http://localhost") or (FileName contains "mshta.exe" and ProcessCommandLine contains "http" and ProcessCommandLine !contains "http://localhost");
clipboardEvents
| join kind=inner (powershellEvents) on DeviceName
| where abs(datetime_diff('minute', TimeGenerated, TimeGenerated1)) <= 1
| summarize by DeviceNameAbout this query
Explanation
This query is designed to detect potential malicious activity involving PowerShell scripts that are executed as a result of a social engineering attack using fake CAPTCHA or bot verification techniques. Here's a simple breakdown of what the query does:
-
Objective: The query aims to identify instances where a user is tricked into copying and pasting a malicious PowerShell command from a website, which then executes on their device.
-
Technique: The attack leverages a fake CAPTCHA or bot verification prompt to deceive users into executing a harmful script.
-
Detection Method:
- The query looks for two types of events:
- Clipboard Access: It checks for events where clipboard data is accessed by the "explorer.exe" process. This indicates that something was copied to the clipboard.
- PowerShell Execution: It searches for PowerShell or mshta.exe processes that run commands containing "http" (indicating a web request) but not "http://localhost" (to exclude local testing), and where the command is hidden.
- It then correlates these events by matching them on the same device and ensuring they occur within one minute of each other.
- The query looks for two types of events:
-
Output: The query lists devices where both clipboard access and suspicious PowerShell execution occur in close succession, suggesting a possible malicious activity.
-
Purpose: This helps security teams identify and respond to potential threats where users are tricked into executing harmful scripts, thereby enhancing the organization's cybersecurity posture.
