Roberto Rodriguez
31 lines
1.1 KiB
YAML
31 lines
1.1 KiB
YAML
title: Clipboard Collection with Xclip Tool
|
|
id: ec127035-a636-4b9a-8555-0efd4e59f316
|
|
status: experimental
|
|
description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
|
|
date: 2021/10/15
|
|
author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
|
|
tags:
|
|
- attack.impact
|
|
- attack.t1485
|
|
references:
|
|
- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml
|
|
logsource:
|
|
product: linux
|
|
category: process_creation
|
|
detection:
|
|
selection1:
|
|
Image|contains: 'xclip'
|
|
selection2:
|
|
CommandLine|contains:
|
|
- '-selection'
|
|
- '-sel'
|
|
selection3:
|
|
CommandLine|contains:
|
|
- 'clipboard'
|
|
- 'clip'
|
|
selection4:
|
|
CommandLine|contains: '-o'
|
|
condition: selection1 and selection2 and selection3 and selection4
|
|
falsepositives:
|
|
- Legitimate usage of xclip tools.
|
|
level: low |