T1115 - Clipboard Data

Description from ATT&CK

Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
Windows

Applications can access clipboard data by using the Windows API. (Citation: MSDN Clipboard)

Mac

OSX provides a native command, pbpaste, to grab clipboard contents (Citation: Operating with EmPyre).

Atomic Tests

Atomic Test #1 - Utilize Clipboard to store or execute commands from
Atomic Test #2 - PowerShell

Atomic Test #1 - Utilize Clipboard to store or execute commands from

Add data to clipboard to copy off or execute commands from.

Supported Platforms: Windows

Attack Commands: Run with `command_prompt`!

dir | clip
echo "T1115" > %temp%\T1115.txt
clip < %temp%\T1115.txt

Cleanup Commands:

del %temp%\T1115.txt >nul 2>&1

Atomic Test #2 - PowerShell

Utilize PowerShell to echo a command to clipboard and execute it

Supported Platforms: Windows

Attack Commands: Run with `powershell`!

echo Get-Process | clip
iex Get-Clipboard

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

T1115.md

T1115.md

T1115 - Clipboard Data

Description from ATT&CK

Windows

Mac

Atomic Tests

Atomic Test #1 - Utilize Clipboard to store or execute commands from

Attack Commands: Run with `command_prompt`!

Cleanup Commands:

Atomic Test #2 - PowerShell

Attack Commands: Run with `powershell`!

Files

T1115.md

Latest commit

History

T1115.md

File metadata and controls

T1115 - Clipboard Data

Description from ATT&CK

Windows

Mac

Atomic Tests

Atomic Test #1 - Utilize Clipboard to store or execute commands from

Attack Commands: Run with command_prompt!

Cleanup Commands:

Atomic Test #2 - PowerShell

Attack Commands: Run with powershell!

Attack Commands: Run with `command_prompt`!

Attack Commands: Run with `powershell`!