zakibro
33 lines
912 B
YAML
33 lines
912 B
YAML
title: Clipboard Collection of Image Data with Xclip Tool
|
|
id: f200dc3f-b219-425d-a17e-c38467364816
|
|
description: Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
|
|
author: 'Pawel Mazur'
|
|
status: experimental
|
|
date: 2021/10/01
|
|
references:
|
|
- https://attack.mitre.org/techniques/T1115/
|
|
- https://linux.die.net/man/1/xclip
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
xclip:
|
|
type: EXECVE
|
|
a0: xclip
|
|
a1:
|
|
- '-selection'
|
|
- '-sel'
|
|
a2:
|
|
- clipboard
|
|
- clip
|
|
a3: '-t'
|
|
a4|startswith: 'image/'
|
|
a5: '-o'
|
|
condition: xclip
|
|
tags:
|
|
- attack.collection
|
|
- attack.t1115
|
|
falsepositives:
|
|
- Legitimate usage of xclip tools
|
|
level: low
|