Data Copied To Clipboard Via Clip.EXE

Aug 12, 2024 · attack.collection attack.t1115 ·

Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Sigma rule (View on GitHub)

 1title: Data Copied To Clipboard Via Clip.EXE
 2id: ddeff553-5233-4ae9-bbab-d64d2bd634be
 3status: test
 4description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
 5references:
 6    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md
 8author: frack113
 9date: 2021-07-27
10modified: 2023-02-21
11tags:
12    - attack.collection
13    - attack.t1115
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        - Image|endswith: '\clip.exe'
20        - OriginalFileName: clip.exe
21    condition: selection
22falsepositives:
23    - Unknown
24level: low

References

clip

Reference article for the clip command, which redirects the command output from the command line to the Windows clipboard.

Read More
atomic-red-team/atomics/T1115/T1115.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Data Copied To Clipboard Via Clip.EXE

Sigma rule (View on GitHub)

References

clip

atomic-red-team/atomics/T1115/T1115.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Related rules