Clipboard Collection with Xclip Tool
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Sigma rule (View on GitHub)
1title: Clipboard Collection with Xclip Tool
2id: ec127035-a636-4b9a-8555-0efd4e59f316
3status: test
4description: |
5 Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.
6 Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
7references:
8 - https://www.packetlabs.net/posts/clipboard-data-security/
9author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
10date: 2021/10/15
11modified: 2022/09/15
12tags:
13 - attack.collection
14 - attack.t1115
15logsource:
16 product: linux
17 category: process_creation
18detection:
19 selection:
20 Image|contains: 'xclip'
21 CommandLine|contains|all:
22 - '-sel'
23 - 'clip'
24 - '-o'
25 condition: selection
26falsepositives:
27 - Legitimate usage of xclip tools.
28level: low
References
-
Users may not know that their computer stores everything they copy and paste. Learn how to keep your company safe by clearing the clipboard after pasting sensitive information.
Read More
Related rules
- Data Copied To Clipboard Via Clip.EXE
- PowerShell Get-Clipboard Cmdlet Via CLI
- Clipboard Collection of Image Data with Xclip Tool
- Clipboard Collection with Xclip Tool - Auditd
- AWS EC2 VM Export Failure