Clipboard Collection with Xclip Tool - Auditd

Aug 12, 2024 · attack.collection attack.t1115 ·

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Sigma rule (View on GitHub)

 1title: Clipboard Collection with Xclip Tool - Auditd
 2id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf
 3status: test
 4description: |
 5  Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.
 6  Xclip has to be installed.
 7  Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.  
 8references:
 9    - https://linux.die.net/man/1/xclip
10    - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
11author: 'Pawel Mazur'
12date: 2021-09-24
13modified: 2022-11-26
14tags:
15    - attack.collection
16    - attack.t1115
17logsource:
18    product: linux
19    service: auditd
20detection:
21    selection:
22        type: EXECVE
23        a0: xclip
24        a1:
25            - '-selection'
26            - '-sel'
27        a2:
28            - clipboard
29            - clip
30        a3: '-o'
31    condition: selection
32falsepositives:
33    - Legitimate usage of xclip tools
34level: low

Clipboard Collection with Xclip Tool - Auditd

Sigma rule (View on GitHub)

References

https://linux.die.net/man/1/xclip

https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/

Related rules