rules/windows/process_creation/proc_creation_win_clip_execution.yml

title: Data Copied To Clipboard Via Clip.EXE
id: ddeff553-5233-4ae9-bbab-d64d2bd634be
status: test
description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
references:
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md
author: frack113
date: 2021/07/27
modified: 2023/02/21
tags:
    - attack.collection
    - attack.t1115
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\clip.exe'
        - OriginalFileName: clip.exe
    condition: selection
falsepositives:
    - Unknown
level: low
feat: multiple fixes and updates 2023-02-21 22:15:30 +01:00			`title: Data Copied To Clipboard Via Clip.EXE`
$frack113$ add process_creation_clip.yml 2021-07-27 08:50:03 +02:00			`id: ddeff553-5233-4ae9-bbab-d64d2bd634be`
$frack113$ old experimental rule promotion 2022-10-09 16:54:04 +02:00			`status: test`
fix: apply suggestions from 2nd code review 2023-02-22 12:15:49 +01:00			`description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.`
$frack113$ add process_creation_clip.yml 2021-07-27 08:50:03 +02:00			`references:`
			`- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md`
$frack113$ old experimental rule promotion 2022-10-09 16:54:04 +02:00			`author: frack113`
			`date: 2021/07/27`
feat: multiple fixes and updates 2023-02-21 22:15:30 +01:00			`modified: 2023/02/21`
$frack113$ add process_creation_clip.yml 2021-07-27 08:50:03 +02:00			`tags:`
			`- attack.collection`
			`- attack.t1115`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`- Image\|endswith: '\clip.exe'`
			`- OriginalFileName: clip.exe`
			`condition: selection`
$frack113$ add process_creation_clip.yml 2021-07-27 08:50:03 +02:00			`falsepositives:`
			`- Unknown`
			`level: low`