Sample rules
Clipboard Collection with Xclip Tool
- source: sigma
- technicques:
- t1115
Description
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- -sel
- clip
- -o
Image|contains: xclip
Clipboard Collection with Xclip Tool - Auditd
- source: sigma
- technicques:
- t1115
Description
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Detection logic
condition: selection
selection:
a0: xclip
a1:
- -selection
- -sel
a2:
- clipboard
- clip
a3: -o
type: EXECVE
Clipboard Collection of Image Data with Xclip Tool
- source: sigma
- technicques:
- t1115
Description
Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Detection logic
condition: selection
selection:
a0: xclip
a1:
- -selection
- -sel
a2:
- clipboard
- clip
a3: -t
a4|startswith: image/
a5: -o
type: EXECVE