<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Clipboard-Theft - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/clipboard-theft/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/clipboard-theft/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious Use of Get-Clipboard PowerShell Command</title><link>https://feed.craftedsignal.io/briefs/2024-01-get-clipboard-activity/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-get-clipboard-activity/</guid><description>The execution of the PowerShell command 'Get-Clipboard' is detected to retrieve clipboard data, which may indicate an attempt to steal sensitive information, potentially compromising user accounts.</description><content:encoded><![CDATA[<p>This alert identifies instances where the PowerShell command 'Get-Clipboard' is used to retrieve clipboard data. Adversaries may use this command to steal sensitive information that has been copied to the clipboard, such as usernames, passwords, API keys, or other confidential data. The detection leverages PowerShell Script Block Logging (EventCode 4104) to identify the execution of this command. This activity is particularly concerning as it can lead to unauthorized access to sensitive information, potentially compromising user accounts and critical assets. The observed activity has been associated with post-exploitation activity and data theft. The threat is relevant because it can expose sensitive information residing in the clipboard, leading to further compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a system, likely via phishing or exploitation of a vulnerability.</li>
<li>The attacker leverages PowerShell to execute commands on the compromised system.</li>
<li>The attacker uses the <code>Get-Clipboard</code> cmdlet to retrieve the current contents of the clipboard.</li>
<li>The contents of the clipboard are stored or piped to another command for further processing.</li>
<li>The attacker filters the clipboard contents for sensitive information such as credentials, API keys, or other secrets.</li>
<li>The sensitive information is exfiltrated from the system via command and control channels.</li>
<li>The attacker uses the stolen credentials or information to gain access to other systems or resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can result in the exposure of sensitive data stored on the clipboard. This may include credentials, API keys, or other confidential information. The exposure of this data can lead to unauthorized access to sensitive systems, data breaches, and financial loss. This technique has been observed in post-exploitation phases and ransomware campaigns.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable PowerShell Script Block Logging (EventCode 4104) to capture PowerShell commands and scripts for analysis, as referenced in the <a href="#data-source">data source</a>.</li>
<li>Deploy the Sigma rule &quot;Detect Suspicious Get-Clipboard Activity&quot; to your SIEM to detect the use of Get-Clipboard in PowerShell and tune for your environment.</li>
<li>Review and investigate any alerts generated by the Sigma rule to identify potentially malicious activity.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-access</category><category>clipboard-theft</category><category>powershell</category></item></channel></rss>