Clipboard Collection with Xclip Tool
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Sigma rule (View on GitHub)
1title: Clipboard Collection with Xclip Tool
2id: ec127035-a636-4b9a-8555-0efd4e59f316
3status: test
4description: |
5 Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.
6 Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
7references:
8 - https://www.packetlabs.net/posts/clipboard-data-security/
9author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
10date: 2021-10-15
11modified: 2022-09-15
12tags:
13 - attack.collection
14 - attack.t1115
15logsource:
16 product: linux
17 category: process_creation
18detection:
19 selection:
20 Image|contains: 'xclip'
21 CommandLine|contains|all:
22 - '-sel'
23 - 'clip'
24 - '-o'
25 condition: selection
26falsepositives:
27 - Legitimate usage of xclip tools.
28level: low
References
-
Users may not know that their computer stores everything they copy and paste. Learn how to keep your company safe by clearing the clipboard after pasting sensitive information.
Read More
Related rules
- PowerShell Get Clipboard
- PowerShell Get-Clipboard Cmdlet Via CLI
- 7Zip Compressing Dump Files
- ADFS Database Named Pipe Connection By Uncommon Tool
- AWS EC2 VM Export Failure