Find sigma rule
Attack: Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
For example, on Windows adversaries can access clipboard data by using clip.exe
or Get-Clipboard
.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).(Citation: mining_ruby_reversinglabs)
macOS and Linux also have commands, such as pbpaste
, to grab clipboard contents.(Citation: Operating with EmPyre)
MITRE
Tactic
- collection
technique
- T1115
Test : Collect Clipboard Data via VBA
OS
- windows
Description:
This module copies the data stored in the user’s clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
Executor
powershell
Sigma Rule
- image_load_office_vbadll_load.yml (id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9)