Adversaries may collect data stored in the clipboard from users copying information within or between applications.
For example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).(Citation: mining_ruby_reversinglabs)
macOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.In-memory | (malware never stored to persistent storage) | related-to | T1115 | Clipboard Data | |
| action.malware.variety.In-memory | (malware never stored to persistent storage) | related-to | T1115 | Clipboard Data | |
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1115 | Clipboard Data | |
| attribute.confidentiality.data_disclosure | None | related-to | T1115 | Clipboard Data | |
| attribute.confidentiality.data_disclosure | None | related-to | T1115 | Clipboard Data |