ZeArioch avatar image
1 Vote"
ZeArioch asked foxmsft answered

Sysmon 13.01 - possible bug in ClipboardChange behavior

As long as there is one ClipboardChange rule active, Sysmon seems to log all clipboard activity to the Archive folder.

Tested version: noticed in Sysmon64 12.02, same behavior in Sysmon64 13.01

Sample config:

         <RuleGroup name="" groupRelation="or">
             <ClipboardChange onmatch="include">
                 <Image condition="image">windowsterminal.exe</Image>

With this config, Sysmon logs EventIDs 24 as expected when I copy data from a Terminal window, and nothing outside of that. However, the Archive folder gets filled with all kinds of clipboard events happening outside of Terminal.

Playing with the "CaptureClipboard" configuration entry doesn't seem to change anything.

Is this expected behavior?

Beyond that, would it be possible to have a configuration setting where clipboard events get logged to the evtx log, without writing the actual data to the Archive directory?

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just another sysmon user here.

I can produce this behavior as well and agree that it is unexpected and undesirable.

Clipboard content of images not listed in include rules of my active sysmon config are ending up in the archive. There are no corresponding events in the event log.

I am very concerned about the accumulation of secrets like passwords and access keys in this archive. Personally, I would like to be able to control what gets archived or logged not only by image and hash but also by patterns in content via include/exclude rules which accept regular expressions.

0 Votes 0 ·

I think I'm seeing this too. I actually hadn't specified any include filter for ClipboardChange events because I'm not interested in them right now. But over several weeks my C:\sysmon directory filled up over 400 GB of files which appear to be clipboard buffers.

0 Votes 0 ·
dstaulcu avatar image dstaulcu DaveMcCormack-3832 ·

@DaveMcCormack-3832 - Can you confirm the version and config producing that behavior?

My observation in the current version of sysmon (v13.01) is that the undesired behavior (CLIP files archived) can be prevented when ClipboardChange rules include nothing.

0 Votes 0 ·

I'm running Sysmon 13.01, and my config specifies <ClipboardChange onmatch="include"/>.

I completely cleared out my C:\Sysmon directory yesterday but it has already accumulated over 14,000 files taking up over 8 GB of space. But now that I look at it again, I don't think these are saved clipboard buffers. There are simply too many of them. I have no idea where these are coming from. They can't (or shouldn't) be deleted file backups because my config does not specify the CopyOnDeletePE value and it defaults to False.

0 Votes 0 ·
Show more comments

1 Answer

foxmsft avatar image
2 Votes"
foxmsft answered

This also happens with FileDelete rules and support for distinguishing between what gets archived and what just gets dropped is planned for a future release.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.