Merge PR #4929 from @DefenderDaniel - Add `Clipboard Data Collection …

…Via Pbpaste` new: Clipboard Data Collection Via Pbpaste --------- Co-authored-by: nasbench <[email protected]>
SigmaHQ · Jul 31, 2024 · 42f90bb · 42f90bb
1 parent 65d76a3
commit 42f90bb
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml b/rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml
@@ -0,0 +1,30 @@
+title: Clipboard Data Collection Via Pbpaste
+id: d8af0da1-2959-40f9-a3e4-37a6aa1228b7
+status: experimental
+description: |
+    Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout).
+    The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands.
+    It can also be used in shell scripts that may require clipboard content as input.
+    Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information.
+    Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
+references:
+    - https://www.loobins.io/binaries/pbpaste/
+    - https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b
+    - https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF
+author: Daniel Cortez
+date: 2024/07/30
+tags:
+    - attack.collection
+    - attack.credential_access
+    - attack.t1115
+    - detection.threat_hunting
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/pbpaste'
+    condition: selection
+falsepositives:
+    - Legitimate administration activities
+level: medium