Update clipboard-capture.md

darkoperator · web-flow · commit 0192fd125329 · 2021-01-27T15:34:03.000-04:00
diff --git a/clipboard-capture.md b/clipboard-capture.md
@@ -1,11 +1,12 @@
 Clipboard Capture
 =================
 
-Sysmon will log EventID 24 for when an application stores text in the clipboard. This capability was added in version 12.0 of Sysmon under schema 4.40.When text us stored the event is generated and the text that was copied in to clipboard is stored as a file referenced by the hash in the location specified for deleted files with the same protections on the folder so only applications running under the context of the SYSTEM account can list and read the files. If no folder is speciied Sysmon will create a folder under the root of the main drive with its name. 
+Sysmon will log EventID 24 for when an application stores text in the clipboard. This capability was added in version 12.0 of Sysmon under schema 4.40. When text us stored the event is generated and the text that was copied in to clipboard is stored as a file referenced by the hash in the location specified for deleted files with the same protections on the folder so only applications running under the context of the SYSTEM account can list and read the files. If no folder is specified Sysmon will create a folder under the root of the main drive with its name. 
 
-Before creating filters for event a element of **\<CaptureClipboard\/\>** need to be added under the sysmon element. Once this element is added you can create filters for the event type. The **\<ArchiveDirectory\>** element in the configuration XML controls the location of the saved text. 
+Before creating filters for even a element of **\<CaptureClipboard\/\>** need to be added under the Sysmon element. Once this element is added you can create filters for the event type. The **\<ArchiveDirectory\>** element in the configuration XML controls the location of the saved text. 
+
+As it is obvious this type of data is sensitive since it may contain code, credentials, persona identifiable information or more. This is one of the reasons that the data is not stored in the eventlog but in the heavily permissioned folder. Because of this certain care should be taken when deciding on what systems it would be of value to enable this kind of logging. Recommended system would be servers that have RDP enabled, especially those exposed to untrusted networks. It is important to make sure that administrators of the system know that this is enabled and the danger of putting in scope an RDP window with sensitive text in the clipboard so as to not store sensitive information in systems. It is not recommended to enable this capture on client machines due to the risk of unencrypted sensitive data being stored even if the folder is heavily permissioned with Access Control Lists.
 
-As it is obivios this type of data is sensitive since it may contain code, credentials, persona identifiable informatior or more. This is one of the reasons that the data is not stored in the eventlog but in the heavily permissioned folder. Because of this certain care should be taken when deciding on what systems it would be of value to enable this kind of logging. Recomended system would be servers that have RDP enabled, specially those exposed to untrusted networks. It is important to make sure that administrators of the system know that this is enabled and the danger of putting in scope a RDP window with sensitive text in the clipboard so as to not store sensitive information in systems. It is not recommended to enable this capture on client machines do to the risk of unencrypted sensitive data being stored even if the folder are heavily permissioned with Access Control Lists. 
 
 The fields for the event are:
 
