Event ID 24 — ClipboardChange (New content in the clipboard)
Description
This event is generated when the system clipboard contents change.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | — |
UtcTime UnicodeString → string | — |
ProcessGuid GUID → GUID | — |
ProcessId UInt32 → PID | — |
Image UnicodeString → string | — |
Session UInt32 → unsignedInt | — |
ClientInfo UnicodeString → string | — |
Hashes UnicodeString → string | — |
Archived UnicodeString → string | — |
User UnicodeString → string | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 24,
"version": 5,
"level": 4,
"task": 24,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:34:43.177918+00:00",
"event_record_id": 1300545,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 18652
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 01:34:43.168",
"ProcessGuid": "E56ADA26-3DE0-6548-E908-000000000D00",
"ProcessId": 11112,
"Image": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_1.18.2822.0_x64__8wekyb3d8bbwe\\WindowsTerminal.exe",
"Session": 1,
"ClientInfo": "user: WINDEV2310EVAL\\User",
"Hashes": "SHA1=179A4D08834E913B14727CF6474BAC31E082D275,MD5=64D76D5B160C1EB41680025DD778622D,SHA256=35EC5A2FD3F20757A957DC280EF330892A9D76378252CD381BF34518E6A30427,IMPHASH=00000000000000000000000000000000",
"Archived": "true",
"User": "WINDEV2310EVAL\\User"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-24-clipboardchange-new-content-in-the-clipboard
- Example event sourced from https://github.com/NextronSystems/evtx-baseline