security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml
T
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00

29 lines
907 B
YAML
Raw Blame History

title: Clipboard Collection with Xclip Tool
id: ec127035-a636-4b9a-8555-0efd4e59f316
status: test
description: |
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
- https://www.packetlabs.net/posts/clipboard-data-security/
author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-09-15
tags:
- attack.collection
- attack.t1115
logsource:
product: linux
category: process_creation
detection:
selection:
Image|contains: 'xclip'
CommandLine|contains|all:
- '-sel'
- 'clip'
- '-o'
condition: selection
falsepositives:
- Legitimate usage of xclip tools.
level: low
Reference in New Issue View Git Blame Copy Permalink