Clipboard Collection with Xclip Tool - Auditd

Jan 10, 2023 · attack.collection attack.t1115 ·

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Sigma rule (View on GitHub)

 1title: Clipboard Collection with Xclip Tool - Auditd
 2id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf
 3status: test
 4description: |
 5  Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.
 6  Xclip has to be installed.
 7  Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.  
 8references:
 9    - https://linux.die.net/man/1/xclip
10    - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
11author: 'Pawel Mazur'
12date: 2021/09/24
13modified: 2022/11/26
14tags:
15    - attack.collection
16    - attack.t1115
17logsource:
18    product: linux
19    service: auditd
20detection:
21    selection:
22        type: EXECVE
23        a0: xclip
24        a1:
25            - '-selection'
26            - '-sel'
27        a2:
28            - clipboard
29            - clip
30        a3: '-o'
31    condition: selection
32falsepositives:
33    - Legitimate usage of xclip tools
34level: low

References

https://linux.die.net/man/1/xclip

Read More
How To Copy Command Output To Linux Clipboard Directly

Explains how to copy and paste from UNIX / Linux shell prompt to X applications clipboard from shell prompt using xclip/xsel command.

Read More

Clipboard Collection with Xclip Tool - Auditd

Sigma rule (View on GitHub)

References

https://linux.die.net/man/1/xclip

How To Copy Command Output To Linux Clipboard Directly

Related rules