Suspicious pbpaste High Volume Activity
Identifies a high volume of pbpaste
executions, which may indicate a bash loop continuously collecting clipboard
contents, potentially allowing an attacker to harvest user credentials or other sensitive information.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/09/12"
3integration = ["endpoint", "jamf_protect"]
4maturity = "production"
5updated_date = "2024/12/09"
6
7[transform]
8[[transform.investigate]]
9label = "Show events having the same responsible process"
10providers = [
11 [
12 { excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" },
13 { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string" }
14 ]
15]
16
17[[transform.investigate]]
18label = "Show events having the same parent process"
19providers = [
20 [
21 { excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" },
22 { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" }
23 ]
24]
25
26
27[rule]
28author = ["Thijs Xhaflaire"]
29description = """
30Identifies a high volume of `pbpaste` executions, which may indicate a bash loop continuously collecting clipboard
31contents, potentially allowing an attacker to harvest user credentials or other sensitive information.
32"""
33from = "now-9m"
34index = ["logs-jamf_protect*", "logs-endpoint.events.process-*"]
35language = "eql"
36license = "Elastic License v2"
37name = "Suspicious pbpaste High Volume Activity"
38note = """## Triage and analysis
39
40To investigate `pbpaste` activity, focus on determining whether the binary is being used maliciously to collect clipboard data. Follow these steps:
41
42> **Note**:
43> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
44
451. **Identify Frequency and Pattern of Execution:**
46 - **What to check:** Analyze the frequency and timing of `pbpaste` executions. Look for consistent intervals that might indicate a script or loop is running.
47 - **Why:** A high volume of regular `pbpaste` executions could suggest a bash loop designed to continuously capture clipboard data.
48
492. **Examine Associated Scripts or Processes:**
50 - **What to check:** Investigate the parent processes or scripts invoking `pbpaste`. Look for any cron jobs, bash scripts, or automated tasks linked to these executions.
51 - **Why:** Understanding what is triggering `pbpaste` can help determine if this activity is legitimate or part of a malicious attempt to gather sensitive information.
52 - $investigate_1
53 - $investigate_2
54
553. **Review Clipboard Contents:**
56 - **What to check:** If possible, capture and review the clipboard contents during `pbpaste` executions to identify if sensitive data, such as user credentials, is being targeted.
57 - **Why:** Attackers may use `pbpaste` to harvest valuable information from the clipboard. Identifying the type of data being collected can indicate the severity of the threat.
58
594. **Check for Data Exfiltration:**
60 - **What to check:** Investigate any output files or network activity associated with `pbpaste` usage. Look for signs that the collected data is being saved to a file, transmitted over the network, or sent to an external location.
61 - **Why:** If data is being stored or transmitted, it may be part of an exfiltration attempt. Identifying this can help prevent sensitive information from being leaked.
62
635. **Correlate with User Activity:**
64 - **What to check:** Compare the `pbpaste` activity with the user’s normal behavior and system usage patterns.
65 - **Why:** If the `pbpaste` activity occurs during times when the user is not active, or if the user denies initiating such tasks, it could indicate unauthorized access or a compromised account.
66
67By thoroughly investigating these aspects of `pbpaste` activity, you can determine whether this is part of a legitimate process or a potential security threat that needs to be addressed.
68"""
69references = ["https://www.loobins.io/binaries/pbpaste/"]
70risk_score = 47
71rule_id = "e29599ee-d6ad-46a9-9c6a-dc39f361890d"
72setup = """## Setup
73
74This rule requires data coming in from Jamf Protect.
75
76### Jamf Protect Integration Setup
77Jamf Protect is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events incoming events and send data to the Elastic.
78
79#### Prerequisite Requirements:
80- Fleet is required for Jamf Protect.
81- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
82
83#### The following steps should be executed in order to add the Jamf Protect integration:
84- Go to the Kibana home page and click "Add integrations".
85- In the query bar, search for "Jamf Protect" and select the integration to see more details about it.
86- Click "Add Jamf Protect".
87- Configure the integration name.
88- Click "Save and Continue".
89"""
90severity = "medium"
91tags = [
92 "Domain: Endpoint",
93 "OS: macOS",
94 "Use Case: Threat Detection",
95 "Tactic: Credential Access",
96 "Data Source: Jamf Protect",
97 "Data Source: Elastic Defend",
98]
99timestamp_override = "event.ingested"
100type = "eql"
101
102query = '''
103sequence by host.hostname, host.id with maxspan=1m
104[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and process.name: "pbpaste"] with runs = 5
105'''
106
107
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110[[rule.threat.technique]]
111id = "T1056"
112name = "Input Capture"
113reference = "https://attack.mitre.org/techniques/T1056/"
114
115
116[rule.threat.tactic]
117id = "TA0006"
118name = "Credential Access"
119reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
To investigate pbpaste
activity, focus on determining whether the binary is being used maliciously to collect clipboard data. Follow these steps:
Note: This investigation guide uses the Investigate Markdown Plugin introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
-
Identify Frequency and Pattern of Execution:
- What to check: Analyze the frequency and timing of
pbpaste
executions. Look for consistent intervals that might indicate a script or loop is running. - Why: A high volume of regular
pbpaste
executions could suggest a bash loop designed to continuously capture clipboard data.
- What to check: Analyze the frequency and timing of
-
Examine Associated Scripts or Processes:
- What to check: Investigate the parent processes or scripts invoking
pbpaste
. Look for any cron jobs, bash scripts, or automated tasks linked to these executions. - Why: Understanding what is triggering
pbpaste
can help determine if this activity is legitimate or part of a malicious attempt to gather sensitive information. - $investigate_1
- $investigate_2
- What to check: Investigate the parent processes or scripts invoking
-
Review Clipboard Contents:
- What to check: If possible, capture and review the clipboard contents during
pbpaste
executions to identify if sensitive data, such as user credentials, is being targeted. - Why: Attackers may use
pbpaste
to harvest valuable information from the clipboard. Identifying the type of data being collected can indicate the severity of the threat.
- What to check: If possible, capture and review the clipboard contents during
-
Check for Data Exfiltration:
- What to check: Investigate any output files or network activity associated with
pbpaste
usage. Look for signs that the collected data is being saved to a file, transmitted over the network, or sent to an external location. - Why: If data is being stored or transmitted, it may be part of an exfiltration attempt. Identifying this can help prevent sensitive information from being leaked.
- What to check: Investigate any output files or network activity associated with
-
Correlate with User Activity:
- What to check: Compare the
pbpaste
activity with the user’s normal behavior and system usage patterns. - Why: If the
pbpaste
activity occurs during times when the user is not active, or if the user denies initiating such tasks, it could indicate unauthorized access or a compromised account.
- What to check: Compare the
By thoroughly investigating these aspects of pbpaste
activity, you can determine whether this is part of a legitimate process or a potential security threat that needs to be addressed.
References
Related rules
- Suspicious Web Browser Sensitive File Access
- Potential Cookies Theft via Browser Debugging
- Access to Keychain Credentials Directories
- Dumping Account Hashes via Built-In Commands
- Dumping of Keychain Content via Security Command