Nasreddine Bencherchali
5656c48a97
chore: rename auditd folders and others update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs
35 lines
947 B
YAML
35 lines
947 B
YAML
title: Clipboard Collection with Xclip Tool - Auditd
|
|
id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf
|
|
status: test
|
|
description: |
|
|
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.
|
|
Xclip has to be installed.
|
|
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
|
|
references:
|
|
- https://linux.die.net/man/1/xclip
|
|
- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
|
|
author: 'Pawel Mazur'
|
|
date: 2021-09-24
|
|
modified: 2022-11-26
|
|
tags:
|
|
- attack.collection
|
|
- attack.t1115
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
selection:
|
|
type: EXECVE
|
|
a0: xclip
|
|
a1:
|
|
- '-selection'
|
|
- '-sel'
|
|
a2:
|
|
- clipboard
|
|
- clip
|
|
a3: '-o'
|
|
condition: selection
|
|
falsepositives:
|
|
- Legitimate usage of xclip tools
|
|
level: low
|