Suspicious pbpaste High Volume Activity
editSuspicious pbpaste High Volume Activity
editIdentifies a high volume of pbpaste
executions, which may indicate a bash loop continuously collecting clipboard contents, potentially allowing an attacker to harvest user credentials or other sensitive information.
Rule type: eql
Rule indices:
- logs-jamf_protect*
- logs-endpoint.events.process-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: macOS
- Use Case: Threat Detection
- Tactic: Credential Access
- Data Source: Jamf Protect
- Data Source: Elastic Defend
Version: 1
Rule authors:
- Thijs Xhaflaire
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
To investigate pbpaste
activity, focus on determining whether the binary is being used maliciously to collect clipboard data. Follow these steps:
Note: This investigation guide uses the Investigate Markdown Plugin introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
-
Identify Frequency and Pattern of Execution:
-
What to check: Analyze the frequency and timing of
pbpaste
executions. Look for consistent intervals that might indicate a script or loop is running. -
Why: A high volume of regular
pbpaste
executions could suggest a bash loop designed to continuously capture clipboard data.
-
What to check: Analyze the frequency and timing of
-
Examine Associated Scripts or Processes:
-
What to check: Investigate the parent processes or scripts invoking
pbpaste
. Look for any cron jobs, bash scripts, or automated tasks linked to these executions. -
Why: Understanding what is triggering
pbpaste
can help determine if this activity is legitimate or part of a malicious attempt to gather sensitive information. - !{investigate{"label":"Show events having the same parent process","providers":[[{"excluded":false,"field":"host.hostname","queryType":"phrase","value":"{{host.hostname}}","valueType":"string"},{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.parent.entity_id}}","valueType":"string"}]]}}
- $investigate_2
-
What to check: Investigate the parent processes or scripts invoking
-
Review Clipboard Contents:
-
What to check: If possible, capture and review the clipboard contents during
pbpaste
executions to identify if sensitive data, such as user credentials, is being targeted. -
Why: Attackers may use
pbpaste
to harvest valuable information from the clipboard. Identifying the type of data being collected can indicate the severity of the threat.
-
What to check: If possible, capture and review the clipboard contents during
-
Check for Data Exfiltration:
-
What to check: Investigate any output files or network activity associated with
pbpaste
usage. Look for signs that the collected data is being saved to a file, transmitted over the network, or sent to an external location. - Why: If data is being stored or transmitted, it may be part of an exfiltration attempt. Identifying this can help prevent sensitive information from being leaked.
-
What to check: Investigate any output files or network activity associated with
-
Correlate with User Activity:
-
What to check: Compare the
pbpaste
activity with the user’s normal behavior and system usage patterns. -
Why: If the
pbpaste
activity occurs during times when the user is not active, or if the user denies initiating such tasks, it could indicate unauthorized access or a compromised account.
-
What to check: Compare the
By thoroughly investigating these aspects of pbpaste
activity, you can determine whether this is part of a legitimate process or a potential security threat that needs to be addressed.
Setup
editSetup
This rule requires data coming in from Jamf Protect.
Jamf Protect Integration Setup
Jamf Protect is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events incoming events and send data to the Elastic.
Prerequisite Requirements:
- Fleet is required for Jamf Protect.
- To configure Fleet Server refer to the documentation.
The following steps should be executed in order to add the Jamf Protect integration:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Jamf Protect" and select the integration to see more details about it.
- Click "Add Jamf Protect".
- Configure the integration name.
- Click "Save and Continue".
Rule query
editsequence by host.hostname, host.id with maxspan=1m [process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and process.name: "pbpaste"] with runs = 5
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Input Capture
- ID: T1056
- Reference URL: https://attack.mitre.org/techniques/T1056/