Sysmon 12.0 — EventID 24

Olaf Hartong
Sep 18 · 4 min read

Sysmon 12 is out, with a new event ID: number 24. A very useful new feature, clipboard monitoring.

Now there is an obvious great use for this in forensic investigations during and after an incident. However, there are additional ways to use this to also trigger detections on.

There obviously will be sensitive data in here as well, like passwords, keys, personal information and so on. Therefore the information is not directly captured to the event log and as such not centrally aggregated, since then it would be accessible for many people.

Image for post
Image for post
Event ID 24 generated after a copy to the clipboard in PowerShell.

The new event contains the following fields:

Image: The process that recorded to the clipboard.
Session:
Session where the process writing to the clipboard is running. This can be system(0) interactive or remote, etc.
ClientInfo: this will contain the session username, and in case of a remote session the originating hostname, and the IP address when available.
Hashes: This determines the file name, same as the FileDelete event.
Archived: Status whether is was stored in the configured Archive directory.

Image for post
Image for post
Default archive directory, Sysmon, with a clipboard capture.

The clipboard files are written to the same protected folder as the File Delete (ID23) archives, as described in this post. The are prepended with the CLIP- tag and have the same file naming scheme, the hash configuration you use.

The files themselves contain the exact data that was copied to the clipboard.

Image for post
Image for post
Sample clipboard capture.

‘Drive-by’ captures

Another interesting case is where Sysmon captures text on the clipboard that is not pasted yet when switching to a VM (or RDP session). This might give very useful insights into attacker behavior or mistakes.
For instance, if you have something on the clipboard and hop between RDP sessions, this information will travel with you.

Obviously this is also true for administrator behavior. It’s highly likely you will be capturing passwords they copy/paste into RDP sessions as well; take this into account in your risk assessment.

How about password managers?

Password managers use the clipboard as well, unless you use the autofill feature, which also has its problems on another level. Having Sysmon on a system with a password manager will have you capture passwords.

In the example below I’ve installed LastPass, one of the popular tools, created a test credential set and then pressed the copy password button.
Sysmon records it, sadly not invoked by the program itself (lpwinmetro.exe), but by svchost.exe. Filtering password managers therefore will be not as simple, so please take this into account.

Image for post
Image for post
Capture of a copy password click.

Note: this was a brief test with only one password manager. In time it would be useful to investigate several tools and versions in order to create a whitelist.

Another option could be for instance to filter svchost.exe, making sure you won’t capture passwords from your password manager. This might potentially blind you from capturing other processes. This will require some more research in your environment to properly make this call.

Applications

As mentioned before the forensic use of this feature is immediately apparent, even some red teamers / malicious attackers might see some benefit here — which you might want to put some file auditing on and alert on whenever a process other than Sysmon is accessing this archive folder.

Another possibly use is to create a baseline of tools writing to the clipboard and create some detection logic on anomalies.

Furthermore having the originating user / hostname and IP address will provide another means of triggers since unauthorized RDP /remote sessions can be detected this way. When an attacker copies over a script to be executed directly on the command-line for instance you’ll be able to recover this or, as mentioned before, all commands they intended to execute.

Configuration

To enable it is fairly simple and similar to all other event types. A very basic example is:

Summary

Sysmon captures:

  • Text copy paste over RDP and locally (keep in mind: also passwords).
  • Clipboard captures by tools.
  • Text copy / paste from or to a local VM, even the clipboard that is not pasted yet.

It does not capture:

  • File copy / pastes from or to a local VM, by design.
  • File copy / pastes over RDP, by design.
  • Malware capturing your clipboard, only writes to the clipboard itself.

It provides very welcome additional forensic artefacts plus the ability to create additional means of detecting malicious sessions.

FalconForce

A team of highly specialized security professionals

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store