You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: clipboard-capture.md
+56-1Lines changed: 56 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,6 +3,10 @@ Clipboard Capture
3
3
4
4
Sysmon will log EventID 24 for when an application stores text in the clipboard. This capability was added in version 12.0 of Sysmon under schema 4.40.When text us stored the event is generated and the text that was copied in to clipboard is stored as a file referenced by the hash in the location specified for deleted files with the same protections on the folder so only applications running under the context of the SYSTEM account can list and read the files. If no folder is speciied Sysmon will create a folder under the root of the main drive with its name.
5
5
6
+
Before creating filters for event a element of **\<CheckRevocation \/\>** need to be added under the sysmon element. Once this element is added you can create filters for the event type. The **\<ArchiveDirectory\>** element in the configuration XML controls the location of the saved text.
7
+
8
+
As it is obivios this type of data is sensitive since it may contain code, credentials, persona identifiable informatior or more. This is one of the reasons that the data is not stored in the eventlog but in the heavily permissioned folder. Because of this certain care should be taken when deciding on what systems it would be of value to enable this kind of logging. Recomended system would be servers that have RDP enabled, specially those exposed to untrusted networks. It is important to make sure that administrators of the system know that this is enabled and the danger of putting in scope a RDP window with sensitive text in the clipboard so as to not store sensitive information in systems. It is not recommended to enable this capture on client machines do to the risk of unencrypted sensitive data being stored even if the folder are heavily permissioned with Access Control Lists.
9
+
6
10
The fields for the event are:
7
11
8
12
***RuleName**: Name of rule that triggered the event.
@@ -23,4 +27,55 @@ The fields for the event are:
23
27
24
28
***Archived**: Status whether is was stored in the configured Archive directory.
25
29
26
-
As it is obivios this type of data is sensitive since it may contain code, credentials, persona identifiable informatior or more. This is one of the reasons that the data is not stored in the eventlog but in the heavily permissioned folder. Because of this certain care should be taken when deciding on what systems it would be of value to enable this kind of logging,
30
+
A sample configuration to capture all clipboard events:
31
+
32
+
```XML
33
+
<Sysmonschemaversion="4.40">
34
+
<HashAlgorithms>sha1</HashAlgorithms>
35
+
<CheckRevocation />
36
+
<CaptureClipboard />
37
+
<EventFiltering>
38
+
<RuleGroupname=""groupRelation="or">
39
+
<ClipboardChangeonmatch="exclude">
40
+
</ClipboardChange>
41
+
</RuleGroup>
42
+
</EventFiltering>
43
+
</Sysmon>
44
+
45
+
```
46
+
47
+
This is an event of a user connecting to a VM using Hyper-V console that leverages RDP:
0 commit comments