Sysmon 12.0 — EventID 24 | By Olaf Hartong

Sysmon 12.0 — EventID 24

Sysmon 12 is out, with a new event ID: number 24. A very useful new feature, clipboard monitoring.

Now there is an obvious great use for this in forensic investigations during and after an incident. However, there are additional ways to use this to also trigger detections on.

There obviously will be sensitive data in here as well, like passwords, keys, personal information and so on. Therefore the information is not directly captured to the event log and as such not centrally aggregated, since then it would be accessible for many people.

Event ID 24 generated after a copy to the clipboard in PowerShell.

The new event contains the following fields:

Image: The process that recorded to the clipboard.
Session:
 Session where the process writing to the clipboard is running. This can be system(0) interactive or remote, etc.

ClientInfo: this will contain the session username, and in case of a remote session the originating hostname, and the IP address when available.
Hashes: This determines the file name, same as the FileDelete event.
Archived: Status whether is was stored in the configured Archive directory.

Default archive directory, Sysmon, with a clipboard capture.

The clipboard files are written to the same protected folder as the File Delete (ID23) archives, as described in this post. The are prepended with the CLIP- tag and have the same file naming scheme, the hash configuration you use.

The files themselves contain the exact data that was copied to the clipboard.

Sample clipboard capture.

‘Drive-by’ captures

Another interesting case is where Sysmon captures text on the clipboard that is not pasted yet when switching to a VM (or RDP session). This might give very useful insights into attacker behavior or mistakes.
For instance, if you have something on the clipboard and hop between RDP sessions, this information will travel with you.

Obviously this is also true for administrator behavior. It’s highly likely you will be capturing passwords they copy/paste into RDP sessions as well; take this into account in your risk assessment.

How about password managers?

Password managers use the clipboard as well, unless you use the autofill feature, which also has its problems on another level. Having Sysmon on a system with a password manager will have you capture passwords.

In the example below I’ve installed LastPass, one of the popular tools, created a test credential set and then pressed the copy password button.
Sysmon records it, sadly not invoked by the program itself (lpwinmetro.exe), but by svchost.exe. Filtering password managers therefore will be not as simple, so please take this into account.

Capture of a copy password click.

Note: this was a brief test with only one password manager. In time it would be useful to investigate several tools and versions in order to create a whitelist.

Another option could be for instance to filter svchost.exe, making sure you won’t capture passwords from your password manager. This might potentially blind you from capturing other processes. This will require some more research in your environment to properly make this call.

Applications

As mentioned before the forensic use of this feature is immediately apparent, even some red teamers / malicious attackers might see some benefit here — which you might want to put some file auditing on and alert on whenever a process other than Sysmon is accessing this archive folder.

Another possibly use is to create a baseline of tools writing to the clipboard and create some detection logic on anomalies.

Furthermore having the originating user / hostname and IP address will provide another means of triggers since unauthorized RDP /remote sessions can be detected this way. When an attacker copies over a script to be executed directly on the command-line for instance you’ll be able to recover this or, as mentioned before, all commands they intended to execute.

Configuration

To enable it is fairly simple and similar to all other event types. A very basic example is:

<Sysmon schemaversion="4.40">
  <!-- Capture all hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <CheckRevocation />
  <CaptureClipboard />
  <EventFiltering>
      <RuleGroup name="" groupRelation="or">
         <ClipboardChange onmatch="exclude">
         </ClipboardChange>
      </RuleGroup> 
  </EventFiltering>
</Sysmon>

Summary

Sysmon captures:

  • Text copy paste over RDP and locally (keep in mind: also passwords).
  • Clipboard captures by tools.
  • Text copy / paste from or to a local VM, even the clipboard that is not pasted yet.

It does not capture:

  • File copy / pastes from or to a local VM, by design.
  • File copy / pastes over RDP, by design.
  • Malware capturing your clipboard, only writes to the clipboard itself.

It provides very welcome additional forensic artefacts plus the ability to create additional means of detecting malicious sessions.

Originally published here: https://medium.com/falconforce/sysmon-12-0-eventid-24-31e0109c78e3

September 21, 2020
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013