I am trying to come up with a monitoring solution for MITRE ATT&CK Technique T1115 (Clipboard Data). The data can be retrieved via Powershell (Get-Clipboard) or by using the Windows API (OpenClipboard() or GetClipboardData). Scriptblock logging will allow me to detect the Powershell use, but how can you monitor for those specific API calls?
I have not been able to come up with a solution to track specific API calls. The deepest I can drill is down to the process level, but tracking specific API calls is a mystery to me.
