T1115 Clipboard Data

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

For example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).(Citation: mining_ruby_reversinglabs)

macOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1115 Clipboard Data
action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1115 Clipboard Data
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1115 Clipboard Data
attribute.confidentiality.data_disclosure None related-to T1115 Clipboard Data
attribute.confidentiality.data_disclosure None related-to T1115 Clipboard Data

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
microsoft_sentinel Microsoft Sentinel technique_scores T1115 Clipboard Data
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can harvest clipboard data on Windows, but does not address other procedures or platforms.
References