← Library
sigmaDRL-1.1from SigmaHQ/sigma

PowerShell Get Clipboard

A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1115
Rule sourcerules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml
title: PowerShell Get Clipboard
id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
status: test
description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/16
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-01-04
tags:
    - attack.collection
    - attack.t1115
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        Payload|contains: 'Get-Clipboard'
    condition: selection
falsepositives:
    - Unknown
level: medium