Windows ClipBoard Data via Get-ClipBoard
Description
The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information.
- Type: Anomaly
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2022-11-30
- Author: Teoderick Contreras, Splunk
- ID: ab73289e-2246-4de0-a14b-67006c72a893
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
`powershell` EventCode=4104 ScriptBlockText = "*Get-Clipboard*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_clipboard_data_via_get_clipboard_filter`
Macros
The SPL above uses the following Macros:
windows_clipboard_data_via_get-clipboard_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- ScriptBlockText
- Opcode
- Computer
- UserID
- EventCode
How To Implement
To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
Known False Positives
It is possible there will be false positives, filter as needed.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
25.0 | 50 | 50 | powershell script $ScriptBlockText$ execute Get-Clipboard commandlet in $dest$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1115/
- https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1