Linux Clipboard Activity Monitoring
This brief provides detection strategies for monitoring clipboard activity on Linux systems, potentially identifying malicious data exfiltration or command execution attempts.
This brief outlines detection methods for monitoring clipboard activity on Linux systems. While the provided source material lacks specific threat actor information or campaign details, monitoring clipboard interaction is essential. Attackers may leverage the clipboard to copy and paste sensitive data, such as credentials, API keys, or command sequences, for exfiltration or execution on compromised systems. The scope of this activity can vary, but defenders need to establish baseline clipboard usage patterns to identify anomalies that may indicate malicious intent.
Attack Chain
- Initial Access: An attacker gains access to a Linux system through methods like SSH brute-forcing or exploiting a vulnerability in a network service (e.g., web application, database).
- Privilege Escalation: Once inside, the attacker may attempt to elevate privileges using techniques like exploiting kernel vulnerabilities or misconfigured SUID/GUID binaries.
- Information Gathering: The attacker gathers information about the system, user accounts, and network configuration using tools like
uname,id,ifconfig, andnetstat. - Clipboard Interaction (Copy): The attacker copies sensitive information from files, terminal output, or other applications to the clipboard using tools like
xclip,xsel, orwl-copy(for Wayland). For example,cat /etc/shadow | xclip -selection clipboard. - Clipboard Interaction (Paste): The attacker pastes the copied information into a different application, potentially for exfiltration to an external server or use in subsequent attack steps. For example, pasting credentials into an SSH client.
- Lateral Movement: The attacker uses the gathered credentials or session tokens to move laterally to other systems within the network.
- Data Exfiltration: The attacker exfiltrates sensitive data to an external server using tools like
scp,rsync, orcurlvia the clipboard. - Persistence: The attacker establishes persistence on the compromised system using techniques like creating cron jobs or modifying system startup scripts.
Impact
Successful exploitation could lead to sensitive data leakage, including credentials, API keys, and internal documents. This can enable unauthorized access to other systems, data breaches, and disruption of services. The number of affected systems and the extent of the damage will depend on the attacker's objectives and the security measures in place.
Recommendation
- Monitor process creation events for the execution of clipboard utilities like
xclip,xsel, orwl-copyto detect suspicious clipboard activity using the Sigma rules provided. - Enable audit logging on Linux systems to capture process execution events and command-line arguments, providing valuable context for investigating potential clipboard-related attacks.
- Implement network monitoring to detect unusual outbound connections originating from systems where clipboard activity is detected, potentially indicating data exfiltration.
- Deploy and tune the provided Sigma rules in your SIEM to detect and respond to malicious clipboard activity.
Detection coverage 3
Detect Clipboard Interaction via xclip
mediumDetects the use of xclip to interact with the clipboard, which can be indicative of malicious data exfiltration or command execution.
Detect Clipboard Interaction via xsel
mediumDetects the use of xsel to interact with the clipboard.
Detect Clipboard Interaction via wl-copy (Wayland)
mediumDetects the use of wl-copy (Wayland) to interact with the clipboard.
Detection queries are available on the platform. Get full rules →