Detect Clipboard Data in CrowdStrike LogScale
Adversaries may collect data stored in the clipboard from users copying information within or between applications. On Windows, adversaries can read clipboard contents using PowerShell's Get-Clipboard cmdlet, the Win32 API functions OpenClipboard() and GetClipboardData(), or by invoking clip.exe in combination with scripting. macOS and Linux provide pbpaste and xclip/xsel utilities respectively. Clipboard content frequently contains high-value data including passwords copied from password managers, authentication tokens, cryptocurrency wallet addresses, PII, and internal URLs. Advanced malware such as Agent Tesla, RTM, Astaroth, CHIMNEYSWEEP, and DarkComet implement persistent clipboard monitoring loops that exfiltrate captured content, while crypto-clippers (a subclass) additionally replace clipboard content with attacker-controlled values to hijack cryptocurrency transactions.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1115 Clipboard Data
- Canonical reference
- https://attack.mitre.org/techniques/T1115/
LogScale Detection Query
// T1115 - Clipboard Data Collection Detection
// Branch 1: Script engines invoking clipboard APIs
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|python[0-9]*\.exe|wscript\.exe|cscript\.exe|mshta\.exe|perl\.exe|ruby\.exe|node\.exe)$/
| CommandLine = /(?i)(get-clipboard|getclipboard|openclipboard|getclipboarddata|win32clipboard|pyperclip|clipboard\.paste|system\.windows\.forms\.clipboard|clipboard::gettext|clipboard\.gettext|getopencl ipboardwindow)/
| eval DetectionBranch="ScriptClipboardAccess"
| eval SuspicionScore=2
| union [
// Branch 2: Native clipboard utilities from suspicious parents
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(clip\.exe|xclip|xsel|xdotool|pbpaste)$/
| ParentBaseFileName = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|python[0-9]*\.exe|perl\.exe|ruby\.exe|node\.exe)$/
| eval DetectionBranch="ClipboardUtilitySuspiciousParent"
| eval SuspicionScore=2
]
| union [
// Branch 3: Persistent clipboard monitoring loop
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe)$/
| CommandLine = /(?i)get-clipboard/
| CommandLine = /(?i)(while|start-sleep|foreach|-loop)/
| eval DetectionBranch="ClipboardMonitoringLoop"
| eval SuspicionScore=4
]
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch, SuspicionScore, TargetProcessId, ContextProcessId])
| sort(SuspicionScore, order=desc)
| sort(@timestamp, order=desc)CrowdStrike LogScale (Falcon) CQL query using ProcessRollup2 events to detect clipboard data collection via three behavioral branches: script engines calling clipboard APIs, native clipboard utilities spawned by suspicious parent processes, and persistent PowerShell clipboard monitoring loops. Uses union operator to combine branches with assigned suspicion scores for analyst prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor false positives from legitimate PowerShell administration scripts that check clipboard state as part of session cleanup or remote desktop session management
- Software deployment tools (SCCM, PDQ Deploy) that run Python or PowerShell scripts leveraging clipboard APIs during automated software installation workflows
- Penetration testing toolkits run by authorized red team members during scheduled assessments — coordinate with red team calendar before escalating alerts
Other platforms for T1115
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Clipboard Harvest via Get-Clipboard
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Clipboard'. Sysmon Event ID 11: File Create for %TEMP%\df00tech-clip-test.txt. PowerShell ScriptBlock Log Event ID 4104 showing the full Get-Clipboard invocation. Security Event ID 4688 if command line auditing is enabled.
- Test 2PowerShell Persistent Clipboard Monitoring Loop
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Get-Clipboard', 'while', 'Start-Sleep', and '-WindowStyle Hidden'. PowerShell ScriptBlock Log Event ID 4104 showing the full loop. Sysmon Event ID 11: File Create and multiple File Modify events for the staging file. Multiple writes to the staging file visible in DeviceFileEvents.
- Test 3Python Clipboard Theft via win32clipboard
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'win32clipboard', 'OpenClipboard', and 'GetClipboardData'. Security Event ID 4688 if command line auditing is enabled. Note: requires pywin32 package installed (pip install pywin32).
- Test 4Linux Clipboard Exfiltration via xclip
Expected signal: Auditd syscall log with EXECVE for xclip with arguments '-selection clipboard -o'. Syslog process creation event for xclip. File creation event for /tmp/df00tech-clipboard-capture.txt. If Sysmon for Linux is deployed: EventCode=1 with Image=/usr/bin/xclip.
- Test 5macOS Clipboard Collection via pbpaste
Expected signal: macOS Unified Log (ULS): process creation for pbpaste with arguments. File creation for /tmp/df00tech-clipboard-macos.txt. If Jamf or similar MDM telemetry is deployed, process execution event with parent shell context. ESF (Endpoint Security Framework) events if EDR is deployed.
References (10)
- https://attack.mitre.org/techniques/T1115/
- https://msdn.microsoft.com/en-us/library/ms649012
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip
- https://www.cisa.gov/uscert/ncas/alerts/aa21-200b
- https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems
- https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows
- https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant
Unlock Pro Content
Get the full detection package for T1115 including response playbook, investigation guide, and atomic red team tests.