PowerShell Get Clipboard
A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
Sigma rule (View on GitHub)
1title: PowerShell Get Clipboard
2id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
3status: test
4description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
5references:
6 - https://github.com/OTRF/detection-hackathon-apt29/issues/16
7 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md
8author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
9date: 2020-05-02
10modified: 2023-01-04
11tags:
12 - attack.collection
13 - attack.t1115
14logsource:
15 product: windows
16 category: ps_module
17 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
18detection:
19 selection:
20 Payload|contains: 'Get-Clipboard'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
-
Description The attacker collects screenshots (T1113), data from the user’s clipboard (T1115), and keystrokes (T1056).
Read More -
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. - OTRF/ThreatHunter-Playbook
Read More
Related rules
- Clipboard Collection of Image Data with Xclip Tool
- Clipboard Collection with Xclip Tool
- Clipboard Collection with Xclip Tool - Auditd
- Clipboard Data Collection Via OSAScript
- Data Copied To Clipboard Via Clip.EXE