T1115 IBM QRadar · QRadar

Detect Clipboard Data in IBM QRadar

Adversaries may collect data stored in the clipboard from users copying information within or between applications. On Windows, adversaries can read clipboard contents using PowerShell's Get-Clipboard cmdlet, the Win32 API functions OpenClipboard() and GetClipboardData(), or by invoking clip.exe in combination with scripting. macOS and Linux provide pbpaste and xclip/xsel utilities respectively. Clipboard content frequently contains high-value data including passwords copied from password managers, authentication tokens, cryptocurrency wallet addresses, PII, and internal URLs. Advanced malware such as Agent Tesla, RTM, Astaroth, CHIMNEYSWEEP, and DarkComet implement persistent clipboard monitoring loops that exfiltrate captured content, while crypto-clippers (a subclass) additionally replace clipboard content with attacker-controlled values to hijack cryptocurrency transactions.

MITRE ATT&CK

Tactic
Collection
Technique
T1115 Clipboard Data
Canonical reference
https://attack.mitre.org/techniques/T1115/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name",
  "Command" AS command_line,
  "Parent Process Name",
  CASE
    WHEN LOWER("Command") MATCHES '.*get-clipboard.*' AND (LOWER("Command") MATCHES '.*(while|start-sleep|loop).*') THEN 'ClipboardMonitoringLoop'
    WHEN LOWER("Process Name") MATCHES '.*(powershell\.exe|pwsh\.exe|python[0-9]*\.exe|wscript\.exe|cscript\.exe|mshta\.exe)' AND LOWER("Command") MATCHES '.*(get-clipboard|getclipboard|openclipboard|getclipboarddata|win32clipboard|pyperclip|clipboard\.paste|system\.windows\.forms\.clipboard|clipboard::gettext|clipboard\.gettext).*' THEN 'ScriptClipboardAccess'
    WHEN LOWER("Process Name") MATCHES '.*(clip\.exe|xclip|xsel|xdotool|pbpaste)' AND LOWER("Parent Process Name") MATCHES '.*(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|rundll32\.exe|msiexec\.exe|python[0-9]*\.exe|perl\.exe|ruby\.exe|node\.exe)' THEN 'ClipboardUtilitySuspiciousParent'
    ELSE 'Informational'
  END AS detection_branch,
  CASE
    WHEN LOWER("Command") MATCHES '.*get-clipboard.*' AND (LOWER("Command") MATCHES '.*(while|start-sleep|loop).*') THEN 3
    WHEN LOWER("Process Name") MATCHES '.*(powershell\.exe|pwsh\.exe|python[0-9]*\.exe|wscript\.exe|cscript\.exe|mshta\.exe)' AND LOWER("Command") MATCHES '.*(get-clipboard|openclipboard|win32clipboard|pyperclip).*' THEN 2
    WHEN LOWER("Process Name") MATCHES '.*(clip\.exe|xclip|xsel|pbpaste)' AND LOWER("Parent Process Name") MATCHES '.*(wscript|cscript|mshta|regsvr32|rundll32|python|perl|ruby|node).*' THEN 2
    ELSE 1
  END AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 352)
  AND QIDNAME(qid) IN ('Process Create', 'Windows Process Creation')
  AND (
    (
      LOWER("Process Name") MATCHES '.*(powershell\.exe|pwsh\.exe|python[0-9]*\.exe|wscript\.exe|cscript\.exe|mshta\.exe)'
      AND LOWER("Command") MATCHES '.*(get-clipboard|openclipboard|getclipboarddata|win32clipboard|pyperclip|clipboard\.paste|system\.windows\.forms\.clipboard|clipboard::gettext).*'
    ) OR (
      LOWER("Process Name") MATCHES '.*(\\\\clip\.exe|\\\\xclip|\\\\xsel|\\\\xdotool|\\\\pbpaste)'
      AND LOWER("Parent Process Name") MATCHES '.*(winword|excel|powerpnt|outlook|mshta|wscript|cscript|regsvr32|rundll32|msiexec|python|perl|ruby|node).*'
    ) OR (
      LOWER("Process Name") MATCHES '.*(powershell\.exe|pwsh\.exe)'
      AND LOWER("Command") MATCHES '.*get-clipboard.*'
      AND LOWER("Command") MATCHES '.*(while|start-sleep|loop).*'
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY suspicion_score DESC, starttime DESC
LAST 24 HOURS
high severity medium confidence

AQL query targeting QRadar Windows Security and Sysmon log sources to detect clipboard data collection. Identifies script engine clipboard API abuse, native clipboard utilities launched from suspicious parent processes, and persistent clipboard monitoring loops. Scored by suspicion level with detection branch classification.

Data Sources

QRadar Windows Security Event Log DSMQRadar Sysmon DSMQRadar Microsoft Windows DSM

Required Tables

events

False Positives & Tuning

  • Enterprise RPA (Robotic Process Automation) platforms such as UiPath or Automation Anywhere that spawn script engines for clipboard-based automation workflows
  • Helpdesk and remote support tools (e.g., TeamViewer, AnyDesk scripts) that copy diagnostic data to clipboard via scripting
  • Developer build pipelines or CI agents that use Python clipboard modules during test harness execution on developer workstations
Download portable Sigma rule (.yml)

Other platforms for T1115

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Clipboard Harvest via Get-Clipboard

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Clipboard'. Sysmon Event ID 11: File Create for %TEMP%\df00tech-clip-test.txt. PowerShell ScriptBlock Log Event ID 4104 showing the full Get-Clipboard invocation. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2PowerShell Persistent Clipboard Monitoring Loop

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Get-Clipboard', 'while', 'Start-Sleep', and '-WindowStyle Hidden'. PowerShell ScriptBlock Log Event ID 4104 showing the full loop. Sysmon Event ID 11: File Create and multiple File Modify events for the staging file. Multiple writes to the staging file visible in DeviceFileEvents.

  3. Test 3Python Clipboard Theft via win32clipboard

    Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe, CommandLine containing 'win32clipboard', 'OpenClipboard', and 'GetClipboardData'. Security Event ID 4688 if command line auditing is enabled. Note: requires pywin32 package installed (pip install pywin32).

  4. Test 4Linux Clipboard Exfiltration via xclip

    Expected signal: Auditd syscall log with EXECVE for xclip with arguments '-selection clipboard -o'. Syslog process creation event for xclip. File creation event for /tmp/df00tech-clipboard-capture.txt. If Sysmon for Linux is deployed: EventCode=1 with Image=/usr/bin/xclip.

  5. Test 5macOS Clipboard Collection via pbpaste

    Expected signal: macOS Unified Log (ULS): process creation for pbpaste with arguments. File creation for /tmp/df00tech-clipboard-macos.txt. If Jamf or similar MDM telemetry is deployed, process execution event with parent shell context. ESF (Endpoint Security Framework) events if EDR is deployed.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1115 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1056.001KeyloggingT1113Screen CaptureT1565.002Transmitted Data ManipulationT1041Exfiltration Over C2 ChannelT1020Automated ExfiltrationT1555.003Credentials from Web BrowsersT1059.001PowerShellT1027Obfuscated Files or InformationT1566.001Spearphishing Attachment

Same Tactic: Collection

Popular Detections