Threat Huntmediumtest

Clipboard Data Collection Via Pbpaste

Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. It can also be used in shell scripts that may require clipboard content as input. Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Daniel CortezCreated Tue Jul 30d8af0da1-2959-40f9-a3e4-37a6aa1228b7macos

Hunting Hypothesis

Log Source

macOSProcess Creation

ProductmacOS← raw: macos

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '/pbpaste'
    condition: selection

False Positives

Legitimate administration activities

References

MITRE ATT&CK

Tactics

TA0009 · Collection TA0006 · Credential Access

Techniques

T1115 · Clipboard Data

Other

detection.threat-hunting

Rule Metadata

Rule ID

d8af0da1-2959-40f9-a3e4-37a6aa1228b7

Status

test

Level

medium

Type

Threat Hunt

Created

Tue Jul 30

Author

Daniel Cortez

Path

rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml

Raw Tags

attack.collectionattack.credential-accessattack.t1115detection.threat-hunting

View on GitHub