Sysmon 12.0 — EventID 24
Sysmon 12 is out, with a new event ID: number 24. A very useful new feature, clipboard monitoring.
Now there is an obvious great use for this in forensic investigations during and after an incident. However, there are additional ways to use this to also trigger detections on.
There obviously will be sensitive data in here as well, like passwords, keys, personal information and so on. Therefore the information is not directly captured to the event log and as such not centrally aggregated, since then it would be accessible for many people.
Event ID 24 generated after a copy to the clipboard in PowerShell.
The new event contains the following fields:
Image: The process that recorded to the clipboard.
Session: Session where the process writing to the clipboard is running. This can be system(0) interactive or remote, etc.
ClientInfo: this will contain the session username, and in case of a remote session the originating hostname, and the IP address when available.
Hashes: This determines the file name, same as....
Author
Latest Articles
- BlogSeptember 29, 2020Using the Google custom search engine for OSINT | By Maciej Makowski
- BlogSeptember 22, 2020Sysmon 12.0 — EventID 24 | By Olaf Hartong
- BlogSeptember 21, 2020Decrypting Databases Using RAM Dump – Health Data | By Michal Rozin
- BlogSeptember 18, 2020TikTok — Using OSINT to Discover New Leads | By Josh Richards