none
Sysmon 12.02 - possible bug in ClipboardChange behavior RRS feed

  • Question

  • As long as there is one ClipboardChange rule active, Sysmon seems to log *all* clipboard activity to the Archive folder.

    Tested version: Sysmon64 12.02

    Sample config:

    		<RuleGroup name="" groupRelation="or">
    			<ClipboardChange onmatch="include">
    				<Image condition="image">windowsterminal.exe</Image>
    			</ClipboardChange>
    		</RuleGroup>

    With this config, Sysmon logs EventIDs 24 as expected when I copy data from a Terminal window, and nothing outside of that. However, the Archive folder gets filled with all kinds of clipboard events happening outside of Terminal.

    Playing with the "CaptureClipboard" configuration entry doesn't seem to change anything.

    Is this expected behavior?

    Beyond that, would it be possible to have a configuration setting where clipboard events get logged to the evtx log, without writing the actual data to the Archive directory?

    Friday, November 13, 2020 3:18 PM

All replies

  • I can produce the problem in sysmon.exe v12.02 as well.

    Events are NOT getting written to the event log (event id 24) but clipboard content IS getting written to CLIP files in the archive for images not specified in my "include" oriented rule group.

    The good news is that including nothing does prevent both event log entries and clip file writes.

    Also, I didn't know that "image" was a filtering condition.  TIL!

    Saturday, November 14, 2020 1:55 AM
  • Update:

    Turns out, as a workaround, you can prevent the behavior as long as you do not have a configuration section for clipboard present.

    Thursday, November 19, 2020 5:18 PM