Detectionmediumtest

PowerShell Get Clipboard

A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Sat May 02Updated Wed Jan 044cbd4f12-2e22-43e3-882f-bff3247ffb78windows

Log Source

WindowsPowerShell Module

ProductWindows← raw: windows

CategoryPowerShell Module← raw: ps_module

Definition

0ad03ef1-f21b-4a79-8ce8-e6900c54b65b

Detection Logic

detection:
    selection:
        Payload|contains: 'Get-Clipboard'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

4cbd4f12-2e22-43e3-882f-bff3247ffb78

Status

test

Level

medium

Type

Detection

Created

Sat May 02

Modified

Wed Jan 04

Author

Path

rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml

Raw Tags

attack.collectionattack.t1115