security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1c0c29f45f554d65d30a1dfbf8fd9cb77c192546
blue-team-tools/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml
T
Nasreddine Bencherchali 711ba956e3 feat: updates and enhancements
2023-01-04 17:49:32 +01:00

25 lines
845 B
YAML
Raw Blame History

title: PowerShell Get Clipboard
id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
status: experimental
description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
modified: 2023/01/04
tags:
- attack.collection
- attack.t1115
logsource:
product: windows
category: ps_module
definition: 'Requirements: PowerShell Module Logging must be enabled'
detection:
selection:
Payload|contains: 'Get-Clipboard'
condition: selection
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink