heroui logo

Linux Clipboard Activity Detected

Elastic Detection Rules

View Source
Summary
This threat detection rule, authored by Elastic, is designed to monitor unusual activity involving common clipboard utilities on Unix-based systems. Specifically, it focuses on identifying uncommon process group leaders that initiate processes for clipboard utilities such as xclip, xsel, wl-clipboard, clipman, and copyq. By establishing this monitoring, the rule aims to flag potential data collection efforts by adversaries, who may exploit the clipboard to capture sensitive or confidential user data that is temporarily stored there. The rule utilizes a query that filters for process events indicating execution of these utilities when initiated by processes that do not have common parent names like 'bwrap' or 'micro', thus highlighting potentially suspicious behavior. The rule's risk score is set at 21, indicating a low but notable level of concern. With a severity also rated as low, it aims to provide organizations with a method to proactively identify and investigate clipboard-related threats with a structured approach to follow upon detection. Detailed guidelines for investigation, analysis of possible false positives, and responses for remediation are provided to assist security teams in navigating the findings effectively.
Categories
  • Endpoint
  • Linux
Data Sources
  • Process
  • Script
ATT&CK Techniques
  • T1115
Created: 2023-07-27