improve clipboard rules

mandiant · May 26, 2023 · aad0799 · aad0799
1 parent 11b9f29
commit aad0799
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 17 deletions.
diff --git a/host-interaction/clipboard/read-clipboard-data.yml b/host-interaction/clipboard/read-clipboard-data.yml
@@ -8,13 +8,18 @@ rule:
     scope: function
     att&ck:
       - Collection::Clipboard Data [T1115]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/dataxchg/using-the-clipboard
     examples:
       - C91887D861D9BD4A5872249B641BC9F9:0x40156F
       - 93dfc146f60bd796eb28d4e4f348f2e4:0x401050
   features:
     - and:
       - optional:
         - match: open clipboard
+        - api: kernel32.GlobalAlloc
+        - api: kernel32.GlobalLock
+        - api: kernel32.GlobalUnlock
       - or:
         - and:
           - api: user32.GetClipboardData

diff --git a/host-interaction/clipboard/replace-clipboard-data.yml b/host-interaction/clipboard/replace-clipboard-data.yml
diff --git a/host-interaction/clipboard/write-clipboard-data.yml b/host-interaction/clipboard/write-clipboard-data.yml
@@ -8,12 +8,16 @@ rule:
     scope: function
     mbc:
       - Impact::Clipboard Modification [E1510]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/dataxchg/using-the-clipboard
     examples:
       - 6F99A2C8944CB02FF28C6F9CED59B161:0x403180
   features:
     - and:
       - optional:
         - match: open clipboard
+        - api: user32.EmptyClipboard
+        - api: System.Windows.Forms.Clipboard::Clear
       - or:
         - api: user32.SetClipboardData
         - api: System.Windows.Forms.Clipboard::SetAudio