{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/clipboard-theft/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["credential-access","clipboard-theft","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies instances where the PowerShell command 'Get-Clipboard' is used to retrieve clipboard data. Adversaries may use this command to steal sensitive information that has been copied to the clipboard, such as usernames, passwords, API keys, or other confidential data. The detection leverages PowerShell Script Block Logging (EventCode 4104) to identify the execution of this command. This activity is particularly concerning as it can lead to unauthorized access to sensitive information, potentially compromising user accounts and critical assets. The observed activity has been associated with post-exploitation activity and data theft. The threat is relevant because it can expose sensitive information residing in the clipboard, leading to further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, likely via phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell to execute commands on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eGet-Clipboard\u003c/code\u003e cmdlet to retrieve the current contents of the clipboard.\u003c/li\u003e\n\u003cli\u003eThe contents of the clipboard are stored or piped to another command for further processing.\u003c/li\u003e\n\u003cli\u003eThe attacker filters the clipboard contents for sensitive information such as credentials, API keys, or other secrets.\u003c/li\u003e\n\u003cli\u003eThe sensitive information is exfiltrated from the system via command and control channels.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials or information to gain access to other systems or resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can result in the exposure of sensitive data stored on the clipboard. This may include credentials, API keys, or other confidential information. The exposure of this data can lead to unauthorized access to sensitive systems, data breaches, and financial loss. This technique has been observed in post-exploitation phases and ransomware campaigns.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (EventCode 4104) to capture PowerShell commands and scripts for analysis, as referenced in the \u003ca href=\"#data-source\"\u003edata source\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious Get-Clipboard Activity\u0026quot; to your SIEM to detect the use of Get-Clipboard in PowerShell and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview and investigate any alerts generated by the Sigma rule to identify potentially malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-get-clipboard-activity/","summary":"The execution of the PowerShell command 'Get-Clipboard' is detected to retrieve clipboard data, which may indicate an attempt to steal sensitive information, potentially compromising user accounts.","title":"Suspicious Use of Get-Clipboard PowerShell Command","url":"https://feed.craftedsignal.io/briefs/2024-01-get-clipboard-activity/"}],"language":"en","title":"CraftedSignal Threat Feed - Clipboard-Theft","version":"https://jsonfeed.org/version/1.1"}