splApache-2.0from splunk/security_content

Windows ClipBoard Data via Get-ClipBoard

The following analytic detects the execution of the PowerShell command 'Get-Clipboard' to retrieve clipboard data. It leverages PowerShell Script Block Logging (EventCode 4104) to identify instances where this command is used. This activity is significant because it can indicate an attempt to steal sensitive information such as usernames, passwords, or other confidential data copied to the clipboard. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, potentially compromising user accounts and other critical assets.

Quality

FP risk

—

Forks

Views

Rule sourcedetections/endpoint/windows_clipboard_data_via_get_clipboard.yml

`powershell` EventCode=4104 ScriptBlockText = "*Get-Clipboard*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_clipboard_data_via_get_clipboard_filter`