PowerShell Get-Clipboard Cmdlet Via CLI

 1title: PowerShell Get-Clipboard Cmdlet Via CLI
 2id: b9aeac14-2ffd-4ad3-b967-1354a4e628c3
 3related:
 4    - id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
 5      type: derived
 6status: test
 7description: Detects usage of the 'Get-Clipboard' cmdlet via CLI
 8references:
 9    - https://github.com/OTRF/detection-hackathon-apt29/issues/16
10    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2020/05/02
13modified: 2022/12/25
14tags:
15    - attack.collection
16    - attack.t1115
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        CommandLine|contains: 'Get-Clipboard'
23    condition: selection
24falsepositives:
25    - Unknown
26level: medium

References

• 7.A) Screen Capture, Clipboard Data, Input Capture · Issue #16 · OTRF/detection-hackathon-apt29

  

  Description The attacker collects screenshots (T1113), data from the user’s clipboard (T1115), and keystrokes (T1056).

  
  Read More

• ThreatHunter-Playbook/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md at 2d4257f630f4c9770f78d0c1df059f891ffc3fec · OTRF/ThreatHunter-Playbook

  

  A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. - OTRF/ThreatHunter-Playbook

  
  Read More

Related rules

• Clipboard Collection of Image Data with Xclip Tool
• Clipboard Collection with Xclip Tool - Auditd
• Files Added To An Archive Using Rar.EXE
• Audio Capture
• Screen Capture with Import Tool