Find sigma rule

Attack: Clipboard Data

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

For example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).(Citation: mining_ruby_reversinglabs)

macOS and Linux also have commands, such as pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)

MITRE

Tactic

collection

technique

T1115

Test : Utilize Clipboard to store or execute commands from

OS

windows

Description:

Add data to clipboard to copy off or execute commands from.

Executor

command_prompt

Sigma Rule

proc_creation_win_clip_execution.yml (id: ddeff553-5233-4ae9-bbab-d64d2bd634be)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test