Adversaries may collect data stored in the clipboard from users copying information within or between applications.
For example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).(Citation: mining_ruby_reversinglabs)
macOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.In-memory | (malware never stored to persistent storage) | related-to | T1115 | Clipboard Data | |
action.malware.variety.In-memory | (malware never stored to persistent storage) | related-to | T1115 | Clipboard Data | |
action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1115 | Clipboard Data | |
attribute.confidentiality.data_disclosure | None | related-to | T1115 | Clipboard Data | |
attribute.confidentiality.data_disclosure | None | related-to | T1115 | Clipboard Data |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
microsoft_sentinel | Microsoft Sentinel | technique_scores | T1115 | Clipboard Data |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can harvest clipboard data on Windows, but does not address other procedures or platforms.
References
|