title: PowerShell Get Clipboard
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for the Get-Clipboard commands in PowerShell logs.
  This could be an adversary capturing clipboard contents.
detection:
  SELECTION_1:
    Payload: '*Get-Clipboard*'
  condition: SELECTION_1
falsepositives:
- unknown
id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
level: medium
logsource:
  category: ps_module
  definition: PowerShell Module Logging must be enabled
  product: windows
modified: 2021/10/16
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
related:
- id: 5486f63a-aa4c-488d-9a61-c9192853099f
  type: derived
status: experimental
tags:
- attack.collection
- attack.t1115
ruletype: SIGMA