Deployable detection rules
2 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
2 shown of 2Pbpaste Execution via Unusual Parent Process
Detects when an unusual parent process like Node.js, Python, or osascript executes the pbpaste binary to
access clipboard data. This technique has been used by malware like OtterCookie to steal passwords and
seed phrases from the clipboard.
Show query
process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
process.name == "pbpaste" and process.args_count == 1 and
(process.parent.name in ("node", "osascript") or process.parent.name like "python*") and
not process.parent.executable like "/Users/*/.pyenv/versions/*/bin/python3*"
Linux Clipboard Activity Detected
This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process parent.
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Show query
event.category:process and host.os.type:"linux" and event.type:"start" and
event.action:("exec" or "exec_event" or "executed" or "process_started" or "start") and
process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq") and
not process.parent.name:("bwrap" or "micro")
Showing 1-2 of 2