Clipboard Collection with Xclip Tool

Hunt Hypothesis

Adversaries may use the xclip tool to exfiltrate clipboard data from user sessions, leveraging clipboard access to steal sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration attempts that may go undetected by standard monitoring.

Detection Rule

Sigma (Original)

title: Clipboard Collection with Xclip Tool
id: ec127035-a636-4b9a-8555-0efd4e59f316
status: test
description: |
    Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.
    Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
    - https://www.packetlabs.net/posts/clipboard-data-security/
author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-09-15
tags:
    - attack.collection
    - attack.t1115
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|contains: 'xclip'
        CommandLine|contains|all:
            - '-sel'
            - 'clip'
            - '-o'
    condition: selection
falsepositives:
    - Legitimate usage of xclip tools.
level: low

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName contains "xclip" and (TargetProcessCommandLine contains "-sel" and TargetProcessCommandLine contains "clip" and TargetProcessCommandLine contains "-o")

False Positive Guidance

• Scenario: System Administrator Uses xclip to Copy Logs to Clipboard for Review
  Description: An admin copies log output to the clipboard using xclip for quick review without saving it.
  Filter/Exclusion: process.name != "xclip" OR destination.clipboard.content contains "log" AND destination.clipboard.content does not contain "sensitive data"

• Scenario: Scheduled Job Uses xclip to Export Data to Clipboard for Automation
  Description: A scheduled job runs a script that uses xclip to export data to the clipboard for downstream automation tools.
  Filter/Exclusion: process.parent_process.name contains "cron" OR process.parent_process.name contains "systemd"

• Scenario: Developer Uses xclip to Transfer Code Snippets Between Applications
  Description: A developer uses xclip to copy code snippets from a terminal to an IDE or text editor.
  Filter/Exclusion: user.account_type == "developer" OR process.name contains "vim" OR process.name contains "nano"

• Scenario: Integration Tool Uses xclip to Transfer Data Between Applications
  Description: A third-party integration tool (e.g., Ansible, Jenkins) uses xclip to transfer data between applications during a workflow.
  Filter/Exclusion: process.name contains "ansible" OR process.name contains "jenkins" OR process.name contains "docker"

• Scenario: User Copies Clipboard Content to Another Application for Documentation
  Description: A user copies clipboard content (e.g., a command output) to a documentation tool like Obsidian or Notion.
  Filter/Exclusion: destination.clipboard.content contains "command output" AND destination.clipboard.content does not contain "credentials" OR "password"

MITRE ATT&CK Context

• Tactic: Collection
• Technique: T1115