Clipboard Access via AppleScript

Detects clipboard data access via AppleScript using macOS Unified Logs Apple Event telemetry. The Apple Event type Jons,gClp corresponds to the the clipboard or get the clipboard AppleScript command, which retrieves the contents of the system clipboard. macOS stealers commonly access clipboard data to harvest cryptocurrency wallet addresses, passwords, sensitive tokens, or other data the user has recently copied. This detection leverages the com.apple.appleevents subsystem debug logs and does not require private data enablement.

Rule type: esql
Rule indices:

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

• https://pberba.github.io/security/2026/02/21/aemonitor/
• https://www.elastic.co/docs/reference/integrations/unifiedlogs

Tags:

• Domain: macOS
• Data Source: macOS Unified Logs
• Data Source: Unified Logs
• Use Case: Threat Detection
• Resources: Investigation Guide
• Tactic: Collection

Version: 1
Rule authors:

• Elastic

Rule license: Elastic License v2

This rule detects the Jons,gClp Apple Event, which indicates an AppleScript accessed the system clipboard. Clipboard access is a common technique used by macOS stealers to harvest sensitive data such as cryptocurrency wallet addresses, passwords, or tokens.

• Review the message field for the full Apple Event debug output to understand the clipboard access context.
• Identify the source process by correlating timestamps with process execution logs from Elastic Defend or other endpoint telemetry.
• Look for related Apple Events on the same host, such as syso,exec (shell execution) or network connections, which may indicate exfiltration of clipboard contents.
• Check for recent syso,dlog (display dialog) events that may indicate a fake prompt was used to trick the user into copying sensitive data.
• Review the host for known stealer malware indicators, unauthorized scripts, or recently modified files.
• Check if the clipboard access coincides with the user interacting with sensitive applications (password managers, cryptocurrency wallets, banking sites).

• Clipboard manager applications (e.g., Paste, CopyClip) frequently access clipboard contents.
• Productivity tools and text editors with clipboard integration may trigger this rule.
• Automation workflows (Shortcuts, Automator) that process clipboard data.

• If clipboard access is determined to be malicious, assume sensitive data may have been captured and take appropriate action (rotate credentials, move cryptocurrency funds, etc.).
• Isolate the affected host and investigate the full attack chain.
• Remove any malicious scripts, applications, or persistence mechanisms.

FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND apple_event.type_code == "Jons,gClp"
| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, apple_event.type_code, message
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Collection
  • Id: TA0009
  • Reference URL: https://attack.mitre.org/tactics/TA0009/

• Technique:

  • Name: Clipboard Data
  • Id: T1115
  • Reference URL: https://attack.mitre.org/techniques/T1115/