From 4bbe4962b01b5b2bffd02edf3659cd670dc9ddef Mon Sep 17 00:00:00 2001
From: Pawel Mazur <pawelmazur835@gmail.com>
Date: Fri, 24 Sep 2021 18:40:10 +0200
Subject: [PATCH] New Rule - Linux - Auditd - Clipboard Collection

---
 .../lnx_auditd_clipboard_collection.yml       | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/linux/auditd/lnx_auditd_clipboard_collection.yml

diff --git a/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml
new file mode 100644
index 000000000..4f5f3a004
--- /dev/null
+++ b/rules/linux/auditd/lnx_auditd_clipboard_collection.yml
@@ -0,0 +1,27 @@
+title: Clipboard Collection with Xclip Tool
+id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf
+description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/09/24
+references:
+   - https://attack.mitre.org/techniques/T1115/
+   - https://linux.die.net/man/1/xclip
+   - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
+logsource:
+   product: linux
+   service: auditd
+detection:
+   xclip:
+       type: EXECVE
+       a0: xclip
+       a1: '-selection'
+       a2: clipboard
+       a3: '-o'
+   condition: xclip
+tags:
+   - attack.collection
+   - attack.t1115
+falsepositives:
+   - Legitimate usage of xclip tools
+level: low
\ No newline at end of file