📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Enable Clipboard
  • 3. Eventlogs
  • 4. Security Questions
  • Answers

Was this helpful?

  1. Forensic Readiness

Sysmon: Capture Clipboard

PreviousWindows SysmonNextSysmon: Process Injection

Last updated 3 years ago

Was this helpful?

1. Introduction

You are a SOC Analyst who wants to get as much information as possible when analyzing a potentially compromised machine. With Sysmon 12, it is now possible to capture clipboard data, a feature that will further help you with incident response.

2. Enable Clipboard

First, you have to enable clipboard capture. To do so, open elevated Command Prompt and cd to C:\Tools folder, where you'll find sysmon.exe. By default, Sysmon is not capturing clipboard changes, so you need to create a sysmon.cfg.xml config file and add the necessary configuration into it. This will enable one of Sysmon's many features, namely the new 'CaptureCliboard' feature.

The configuration that enables clipboard capture:

<Sysmon schemaversion="4.40">
  <CaptureClipboard />
  <EventFiltering>
      <RuleGroup name="" groupRelation="or">
          <ClipboardChange onmatch="exclude">
          </ClipboardChange>
      </RuleGroup>
  </EventFiltering>
</Sysmon>

3. Eventlogs

Now that you have started Sysmon with the new config file, every time someone copy-pastes something an event gets created. If you take another look at Sysmon help (with sysmon -help), you'll find that the events in Event Viewer are created to Applications and Services Logs/Microsoft/Windows/Sysmon/Operational. If you dig a bit deeper with sysmon -? config, you'll also find the event ID for each corresponding event.

Event details: Time: Time of the event.

ProcessGuid: Unique value for this process to make event correlation easier.

Processid: Process ID of the app from where the user copied the data.

Image: Name of the app from where the user copied the data.

Clientinfo: User who copied the data. STUDENT\ContosoAdmin.

Hashes: SHA1 hash that is used when naming the data file (in the format of CLIP-SHA1_HASH).

You won't see the copied data in the Event Viewer. The data is stored in the protected C:\Sysmon folder where the file name follows the pattern of CLIP-SHA1_HASH. Each event creates a file whose name corresponds to the hashes in the event.

Let's try to start a cmd as SYSTEM

psexec -sid cmd.exe

4. Security Questions

  1. Which Event ID gets created each time the clipboard is used?

  2. Where is the content of the Clipboard stored?

  3. Which tool and parameter do you use to beome SYSTEM

Answers

  1. 24

  2. In a protected folder C:\Sysmon

  3. psexec -sid cmd