security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/linux/auditd/lnx_auditd_clipboard_collection.yml
T
zakibro 6a2785492d Update lnx_auditd_clipboard_collection.yml 
Changes after suggestion.
2021-09-27 07:59:43 +02:00

32 lines
952 B
YAML
Raw Blame History

title: Clipboard Collection with Xclip Tool
id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf
description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
author: 'Pawel Mazur'
status: experimental
date: 2021/09/24
references:
- https://attack.mitre.org/techniques/T1115/
- https://linux.die.net/man/1/xclip
- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
logsource:
product: linux
service: auditd
detection:
xclip:
type: EXECVE
a0: xclip
a1:
- '-selection'
- '-sel'
a2:
- clipboard
- clip
a3: '-o'
condition: xclip
tags:
- attack.collection
- attack.t1115
falsepositives:
- Legitimate usage of xclip tools
level: low
Reference in New Issue View Git Blame Copy Permalink