Skip to content
Threat Feed
high advisory

Suspicious Use of Get-Clipboard PowerShell Command

The execution of the PowerShell command 'Get-Clipboard' is detected to retrieve clipboard data, which may indicate an attempt to steal sensitive information, potentially compromising user accounts.

This alert identifies instances where the PowerShell command 'Get-Clipboard' is used to retrieve clipboard data. Adversaries may use this command to steal sensitive information that has been copied to the clipboard, such as usernames, passwords, API keys, or other confidential data. The detection leverages PowerShell Script Block Logging (EventCode 4104) to identify the execution of this command. This activity is particularly concerning as it can lead to unauthorized access to sensitive information, potentially compromising user accounts and critical assets. The observed activity has been associated with post-exploitation activity and data theft. The threat is relevant because it can expose sensitive information residing in the clipboard, leading to further compromise.

Attack Chain

  1. An attacker gains initial access to a system, likely via phishing or exploitation of a vulnerability.
  2. The attacker leverages PowerShell to execute commands on the compromised system.
  3. The attacker uses the Get-Clipboard cmdlet to retrieve the current contents of the clipboard.
  4. The contents of the clipboard are stored or piped to another command for further processing.
  5. The attacker filters the clipboard contents for sensitive information such as credentials, API keys, or other secrets.
  6. The sensitive information is exfiltrated from the system via command and control channels.
  7. The attacker uses the stolen credentials or information to gain access to other systems or resources.

Impact

A successful attack can result in the exposure of sensitive data stored on the clipboard. This may include credentials, API keys, or other confidential information. The exposure of this data can lead to unauthorized access to sensitive systems, data breaches, and financial loss. This technique has been observed in post-exploitation phases and ransomware campaigns.

Recommendation

  • Enable PowerShell Script Block Logging (EventCode 4104) to capture PowerShell commands and scripts for analysis, as referenced in the data source.
  • Deploy the Sigma rule "Detect Suspicious Get-Clipboard Activity" to your SIEM to detect the use of Get-Clipboard in PowerShell and tune for your environment.
  • Review and investigate any alerts generated by the Sigma rule to identify potentially malicious activity.

Detection coverage 2

Detect Suspicious Get-Clipboard Activity

high

Detects the execution of Get-Clipboard in PowerShell, which can be used to steal sensitive information.

sigma tactics: credential_access techniques: T1115 sources: process_creation, windows

Detect Suspicious Get-Clipboard Activity via Script Block Logging

high

Detects the execution of Get-Clipboard in PowerShell via Script Block Logging, which can be used to steal sensitive information.

sigma tactics: credential_access techniques: T1115 sources: powershell_script, windows

Detection queries are available on the platform. Get full rules →