Automated execution of native utilities and scripts to discover, enumerate, and exfiltrate files and clipboard content. Focus is on detecting repeated file access, scripting engine use, and use of command-line utilities commonly leveraged by collection scripts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| TimeWindow | Defines the lookback period for identifying burst activity or patterns in process/file events. |
| SuspiciousFileExtensions | Tunable list of file extensions associated with collection (e.g., .pdf, .docx). |
| ProcessCountThreshold | The number of times a process executes before considered anomalous. |
Repeated or automated access to user document directories or clipboard using shell scripts or utilities like xclip/pbpaste. Detectable via auditd syscall logs or osquery file events.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Access (DC0055) | auditd:SYSCALL | open |
| Field | Description |
|---|---|
| AccessPath | Tunable location for sensitive files like /home/*/Documents. |
| ScriptInterpreterList | Shells or scripting engines to monitor (e.g., bash, python, perl). |
Use of pbpaste, AppleScript, or third-party automation frameworks (e.g., Automator) to collect clipboard or file content in bursts. Observable via unified logs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | logMessage contains pbpaste or osascript |
| Script Execution (DC0029) | macos:unifiedlog | subsystem=launchservices |
| Field | Description |
|---|---|
| AutomationTool | Detectable script interpreters or clipboard tools (pbpaste, osascript). |
| ClipboardCheckRate | Threshold for how often clipboard access occurs within a given time window. |
Suspicious sign-ins to Graph API or sensitive resources using non-browser scripting agents (e.g., Python, PowerShell), often for programmatic access to mailbox or OneDrive content.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | azure:signinlogs | Operation=UserLogin |
| Field | Description |
|---|---|
| UserAgentFilter | Filter for scripting agents (e.g., Python, PowerShell) which may vary by org. |
| ExpectedClientIPList | Set of known internal or managed IPs to filter benign automation. |
| DeviceProperties | Expected managed device profiles used to detect unmanaged devices. |