Data Copied To Clipboard Via Clip.EXE
Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Sigma rule (View on GitHub)
1title: Data Copied To Clipboard Via Clip.EXE
2id: ddeff553-5233-4ae9-bbab-d64d2bd634be
3status: test
4description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
5references:
6 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md
8author: frack113
9date: 2021-07-27
10modified: 2023-02-21
11tags:
12 - attack.collection
13 - attack.t1115
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - Image|endswith: '\clip.exe'
20 - OriginalFileName: clip.exe
21 condition: selection
22falsepositives:
23 - Unknown
24level: low
25regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_clip_execution/info.yml
26simulation:
27 - type: atomic-red-team
28 name: Utilize Clipboard to store or execute commands from
29 technique: T1115
30 atomic_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Clipboard Data Collection Via OSAScript
- Clipboard Collection with Xclip Tool
- PowerShell Get Clipboard
- PowerShell Get-Clipboard Cmdlet Via CLI
- Cisco BGP Authentication Failures