Windows ClipBoard Data via Get-ClipBoard

Try in Splunk Security Cloud

Description

The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information.

• Type: Anomaly

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2022-11-30
• Author: Teoderick Contreras, Splunk
• ID: ab73289e-2246-4de0-a14b-67006c72a893

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1115	Clipboard Data	Collection

Kill Chain Phase

• Exploitation

NIST

• DE.AE

CIS20

• CIS 10

CVE

Search

`powershell` EventCode=4104 ScriptBlockText = "*Get-Clipboard*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_clipboard_data_via_get_clipboard_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• powershell

windows_clipboard_data_via_get-clipboard_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• ScriptBlockText
• Opcode
• Computer
• UserID
• EventCode

How To Implement

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.

Known False Positives

It is possible there will be false positives, filter as needed.

Associated Analytic Story

• Windows Post-Exploitation
• Prestige Ransomware

RBA

Risk Score	Impact	Confidence	Message
25.0	50	50	powershell script $ScriptBlockText$ execute Get-Clipboard commandlet in $dest$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1115/
• https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
• https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1