Sysmon: Capture Clipboard
Last updated
Last updated
You are a SOC Analyst who wants to get as much information as possible when analyzing a potentially compromised machine. With Sysmon 12, it is now possible to capture clipboard data, a feature that will further help you with incident response.
First, you have to enable clipboard capture. To do so, open elevated Command Prompt and cd to C:\Tools folder, where you'll find sysmon.exe. By default, Sysmon is not capturing clipboard changes, so you need to create a sysmon.cfg.xml config file and add the necessary configuration into it. This will enable one of Sysmon's many features, namely the new 'CaptureCliboard' feature.
The configuration that enables clipboard capture:
Now that you have started Sysmon with the new config file, every time someone copy-pastes something an event gets created. If you take another look at Sysmon help (with sysmon -help), you'll find that the events in Event Viewer are created to Applications and Services Logs/Microsoft/Windows/Sysmon/Operational. If you dig a bit deeper with sysmon -? config, you'll also find the event ID for each corresponding event.
Event details: Time: Time of the event.
ProcessGuid: Unique value for this process to make event correlation easier.
Processid: Process ID of the app from where the user copied the data.
Image: Name of the app from where the user copied the data.
Clientinfo: User who copied the data. STUDENT\ContosoAdmin.
Hashes: SHA1 hash that is used when naming the data file (in the format of CLIP-SHA1_HASH).
You won't see the copied data in the Event Viewer. The data is stored in the protected C:\Sysmon folder where the file name follows the pattern of CLIP-SHA1_HASH. Each event creates a file whose name corresponds to the hashes in the event.
Let's try to start a cmd as SYSTEM
psexec -sid cmd.exe
Which Event ID gets created each time the clipboard is used?
Where is the content of the Clipboard stored?
Which tool and parameter do you use to beome SYSTEM
24
In a protected folder C:\Sysmon
psexec -sid cmd
