Techniques
Sample rules
Linux Clipboard Data Copy
- source: splunk
- technicques:
- T1115
Description
The following analytic identifies the use of Linux Xclip copying data out of the clipboard. Adversaries have utilized this technique to capture passwords, IP addresses, or store payloads.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=xclip Processes.process IN ("*-o *", "*-sel *", "*-selection *", "*clip *","*clipboard*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_clipboard_data_copy_filter`