PowerShell Suspicious Script with Clipboard Retrieval Capabilities

edit

PowerShell Suspicious Script with Clipboard Retrieval Capabilities

edit

Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Collection
  • PowerShell

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
event.category:process and
  (powershell.file.script_block_text : (
    "Windows.Clipboard" or
    "Windows.Forms.Clipboard" or
    "Windows.Forms.TextBox"
   ) and
   powershell.file.script_block_text : (
    "]::GetText" or
    ".Paste()"
  )) or powershell.file.script_block_text : "Get-Clipboard"
  and not user.id : "S-1-5-18"

Framework: MITRE ATT&CKTM