Clipboard Collection of Image Data with Xclip Tool

Aug 12, 2024 · attack.collection attack.t1115 ·

Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Sigma rule (View on GitHub)

 1title: Clipboard Collection of Image Data with Xclip Tool
 2id: f200dc3f-b219-425d-a17e-c38467364816
 3status: test
 4description: |
 5  Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.
 6  Xclip has to be installed.
 7  Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.  
 8references:
 9    - https://linux.die.net/man/1/xclip
10author: 'Pawel Mazur'
11date: 2021-10-01
12modified: 2022-10-09
13tags:
14    - attack.collection
15    - attack.t1115
16logsource:
17    product: linux
18    service: auditd
19detection:
20    selection:
21        type: EXECVE
22        a0: xclip
23        a1:
24            - '-selection'
25            - '-sel'
26        a2:
27            - clipboard
28            - clip
29        a3: '-t'
30        a4|startswith: 'image/'
31        a5: '-o'
32    condition: selection
33falsepositives:
34    - Legitimate usage of xclip tools
35level: low

References

https://linux.die.net/man/1/xclip

Read More

Clipboard Collection of Image Data with Xclip Tool

Sigma rule (View on GitHub)

References

https://linux.die.net/man/1/xclip

Related rules