Improvements for clipboard rules

[mwilliams31]

I ran into a FP for read-clipboard-data that sparked some ideas for improvement. The FP was in a sample that contained a bunch of API calls whose results weren't used. I don't have time to write/test new rules so I'm documenting my research efforts here in case someone wants to run with it.

Here's some documentation that could be inserted as references for multiple rules:

• https://docs.microsoft.com/en-us/windows/win32/dataxchg/using-the-clipboard

In the documentation you'll notice the following APIs are frequently used:

kernel32.GlobalAlloc
kernel32.GlobalLock
kernel32.GlobalUnlock

These could be incorporated as optional features for some clipboard rules. They are present in the existing rules' examples. If they show up often enough, maybe they get moved from optional to required to reduce FPs.

Another thought involved targeting specific data formats for the GetClipboardData rule. Malware commonly targets text:

0x1 = CF_TEXT
0xD = CF_UNICODETEXT

Both formats are represented in the existing rule examples. Using these formats, the rule could become a basic block component of a larger function rule. The new rule could also incorporate the loop characteristic to target the read operation.

Lastly, we might consider consolidating the replace-clipboard-data and write-clipboard-data rules. The replace rule includes user32.EmptyClipboard but I wonder if user32.SetClipboardData would overwrite data existing data that wasn't emptied. The EmptyClipboard API could be optional in the write-clipboard-data rule.