Detectionlowtest

Data Copied To Clipboard Via Clip.EXE

Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Tue Jul 27Updated Tue Feb 21ddeff553-5233-4ae9-bbab-d64d2bd634bewindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        - Image|endswith: '\clip.exe'
        - OriginalFileName: clip.exe
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Testing & Validation

Simulations

atomic-red-teamT1115

View on ART

Utilize Clipboard to store or execute commands from

GUID: 0cd14633-58d4-4422-9ede-daa2c9474ae7

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0009 · Collection

Techniques

T1115 · Clipboard Data

Rule Metadata

Rule ID

ddeff553-5233-4ae9-bbab-d64d2bd634be

Status

test

Level

low

Type

Detection

Created

Tue Jul 27

Modified

Tue Feb 21

Author

François Hubaut

Path

rules/windows/process_creation/proc_creation_win_clip_execution.yml

Raw Tags

attack.collectionattack.t1115

View on GitHub