Detection: Windows PowerShell FakeCAPTCHA Clipboard Execution

Updated Date: 2025-05-14 ID: d81d4d3d-76b5-4f21-ab51-b17d5164c106 Author: Michael Haag, Splunk Type: TTP Product: Splunk Enterprise Security

Description

This detection identifies potential FakeCAPTCHA/ClickFix clipboard hijacking campaigns by looking for PowerShell execution with hidden window parameters and distinctive strings related to fake CAPTCHA verification. These campaigns use social engineering to trick users into pasting malicious PowerShell commands from their clipboard, typically delivering information stealers or remote access trojans.

1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_powershell` AND Processes.process="*-w*h*" AND ( (Processes.process IN ("*robot*", "*captcha*", "*verify*", "*security check*", "*complete verification*")) OR ( (Processes.process IN ("*iwr *", "*Invoke-WebRequest*", "*wget *", "*curl *", "*Net.WebClient*", "*DownloadString*", "*[Convert]::FromBase64String*")) AND (Processes.process IN ("*iex*", "*Invoke-Expression*")) AND (Processes.process IN ("*click*", "*verify*", "*check*", "*human*", "*bot*", "*token*", "*challenge*")) ) OR ( Processes.process="*clipboard*" AND Processes.process="*iex*" AND (Processes.process="*FromBase64String*" OR Processes.process="*decode*") ) ) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
3| `drop_dm_object_name(Processes)` 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| `windows_powershell_fakecaptcha_clipboard_execution_filter`

Data Source

Name Platform Sourcetype Source
Sysmon EventID 1 Windows icon Windows 'xmlwineventlog' 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Name Value
process_powershell (Processes.process_name=pwsh.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE)
windows_powershell_fakecaptcha_clipboard_execution_filter search *
windows_powershell_fakecaptcha_clipboard_execution_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1059.001 PowerShell Execution
T1204.001 Malicious Link Execution
T1059.003 Windows Command Shell Execution
Installation
DE.CM
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To successfully implement this search, you need to be ingesting logs with the process name, process path, and command-line executions from your endpoints. If you are using Sysmon, you must have at least Sysmon version 6.0.4 with EventID 1 configured. The full command line arguments are necessary for proper detection.

Known False Positives

Legitimate PowerShell commands that use hidden windows for automation tasks may trigger this detection. The search specifically looks for patterns typical of FakeCAPTCHA campaigns. You may need to add additional exclusions for legitimate administrative activities in your environment by modifying the filter macro.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

A potential FakeCAPTCHA/ClickFix campaign execution was detected on $dest$ running a PowerShell command with hidden window and suspicious verification strings typical of social engineering attacks.

Risk Object Risk Object Type Risk Score Threat Objects
dest system 80 process

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1