Query Details

Rule : Clipboard Data Collection via xclip

Xclip Executions

Query

DeviceProcessEvents
| where FileName contains "xclip" and ProcessCommandLine has_all("sel", "clip")

About this query

Rule : Clipboard Data Collection via xclip

Description

Detects the use of the xclip command to access clipboard data. The xclip utility is used to manipulate the X11 clipboard, and its usage with specific flags can indicate attempts to capture clipboard contents, which may include sensitive information such as passwords or other confidential data.

Detection Logic

  • Monitors process events where the executed file name contains xclip.
  • Filters for instances where the process command line includes the terms sel and clip, indicating an attempt to access or manipulate clipboard data.

Tags

  • Clipboard Collection
  • xclip
  • Process Events
  • Linux

Search Query

Explanation

This query looks for instances where the xclip command is used to access clipboard data on a Linux system. It checks for specific flags in the command line that indicate an attempt to capture sensitive information from the clipboard.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 9, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsFileNameProcessCommandLinexclipselclip

Operators

containshas_all

Actions

GitHub