T1115Techniquecollectionagent-callable

T1115Clipboard Data

Platforms: Linux · Windows · macOS

ATT&CK version: 14.1

What it is

Adversaries may collect data stored in the clipboard from users copying information within or between applications. For example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs) macOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)

ATT&CK tactics· 1

Collection

References

  1. https://attack.mitre.org/techniques/T1115
  2. https://www.cisa.gov/uscert/ncas/alerts/aa21-200b
  3. https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems
  4. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip
  5. https://msdn.microsoft.com/en-us/library/ms649012
  6. https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.