This note documents detection patterns related to Clipboard Theft within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects clipboard scraping tools and payload launchers. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for clipboard theft tooling. |
| Sysmon | 10 | Process access | High | Some tools access target GUI processes. |
| Sysmon | 7 | Image loaded | Medium | Unusual DLLs tied to clipboard APIs. |
| PowerShell | 4104 | Script block logging | Critical | Clipboard cmdlets often exposed in scripts. |
| Sysmon | 11 | File create | Medium | Temporary clipboard dumps or staging files. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Clipboard APIs in script/tool | GetClipboardData / SetClipboard | Critical | Strong collection clue. |
| PowerShell reads clipboard | Get-Clipboard | Critical | Common operator method. |
| Clipboard replaced quickly | Crypto address swapping | Critical | Common malware behavior. |
| Office/browser followed by clipboard read | Data theft sequence | High | Valuable context. |
| Temp text dump created | Clipboard staging | High | Strong artifact clue. |
| Repeated short polling | Frequent clipboard checks | High | Malware loop behavior. |
Common Tools
| Tool | Usage |
|---|---|
| PowerShell | Get-Clipboard |
| custom malware | Clipboard monitoring |
| info stealers | Clipboard scraping |
| AutoHotkey | Clipboard capture |
Relevant Artifacts
- Security Event ID 4688
- Sysmon Event IDs 1, 10, 7, 11
- PowerShell 4104
- Temp output files
- Prefetch for tool
- Browser / Office process correlation
- EDR process tree
MITRE ATT&CK References
- T1115 Clipboard Data
Decision Tree
-
Which process accessed clipboard?
- PowerShell
- Script host
- Malware
-
Read or replace?
- Theft
- Swap
- Monitoring loop
-
Adjacent context?
- Browser
- Office
- Wallet activity
-
Output artifact?
- Temp file
- Exfil chain
-
Expand:
- Network exfil
- Credential theft
- Browser dumping
-
Scope:
- Single collection
- Repeated polling
- Malware campaign
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where CommandLine has_any ("Get-Clipboard","clip")
| project TimeGenerated, Computer, CommandLine
PowerShell
| where EventID == 4104
| where ScriptBlockText has "Get-Clipboard"
| project TimeGenerated, Computer, ScriptBlockText
EQL
process where process.command_line like "*Get-Clipboard*"
sequence by host.name with maxspan=5m
[ process where process.command_line like "*Get-Clipboard*" ]
[ file where file.path like "*temp*" ]
Sigma
title: Clipboard Theft Detection
id: 8d4f3b10-clipboard-theft
status: experimental
description: Detects suspicious clipboard access patterns
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: powershell
detection:
selection:
ScriptBlockText|contains: 'Get-Clipboard'
condition: selection
fields:
- ScriptBlockText
falsepositives:
- Legitimate admin scripts
level: high
tags:
- attack.collection
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| PowerShell logging | Detect clipboard cmdlets | Critical | Strong visibility |
| Watch clipboard API use | High-value for malware | High | Strong enrichment |
| Correlate with browser theft | Strong context | High | Improves triage |
| Alert on clipboard swap behavior | Crypto theft detection | Critical | High-value |
| Preserve temp files | Recover stolen data path | High | Useful DFIR artifact |