← Library
sigmaDRL-1.1from SigmaHQ/sigma

Data Copied To Clipboard Via Clip.EXE

Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Quality
98
FP risk
Forks
0
Views
0
ATT&CK techniques
T1115
Rule sourcerules/windows/process_creation/proc_creation_win_clip_execution.yml
title: Data Copied To Clipboard Via Clip.EXE
id: ddeff553-5233-4ae9-bbab-d64d2bd634be
status: test
description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md
author: frack113
date: 2021-07-27
modified: 2023-02-21
tags:
    - attack.collection
    - attack.t1115
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\clip.exe'
        - OriginalFileName: clip.exe
    condition: selection
falsepositives:
    - Unknown
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_clip_execution/info.yml
simulation:
    - type: atomic-red-team
      name: Utilize Clipboard to store or execute commands from
      technique: T1115
      atomic_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7