← Library
kqlElastic-2.0from elastic/detection-rules

PowerShell Suspicious Script with Clipboard Retrieval Capabilities

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1115T1059T1059.001
Rule sourcerules/windows/collection_posh_clipboard_capture.toml
event.category:process and host.os.type:windows and
(
  (
    powershell.file.script_block_text : (
      "Windows.Clipboard" or
      "Windows.Forms.Clipboard" or
      "Windows.Forms.TextBox"
    ) and
    powershell.file.script_block_text : (
      "]::GetText" or
      ".Paste()"
    )
  ) or
  powershell.file.script_block_text : "Get-Clipboard"
) and
  not powershell.file.script_block_text : (
    "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
  ) and
  not user.id : "S-1-5-18" and
  not (
    file.path : *WindowsPowerShell\\Modules\\*.ps1 and
    file.name : ("Convert-ExcelRangeToImage.ps1" or "Read-Clipboard.ps1")
  ) and
  not powershell.file.script_block_text : (
    "Set-Alias -Name \"gcb\" -Value \"Get-Clipboard\"" or
    "[Windows.Clipboard]::SetText($colorizedText" or
    "EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"
  )