T1115
Clipboard Data
Description from ATT&CK
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
In Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre) https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - Utilize Clipboard to store or execute commands from
Add data to clipboard to copy off or execute commands from.
Supported Platforms: windows
auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7
Inputs:
None
Attack Commands: Run with command_prompt!
1
2
3
4
dir | clip
echo "T1115" > %temp%\T1115.txt
clip < %temp%\T1115.txt
Cleanup Commands:
1
2
del %temp%\T1115.txt >nul 2>&1
Atomic Test #2 - Execute Commands from Clipboard using PowerShell
Utilize PowerShell to echo a command to clipboard and execute it
Supported Platforms: windows
auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
echo Get-Process | clip
Get-Clipboard | iex
Atomic Test #3 - Execute commands from clipboard
Echo a command to clipboard and execute it
Supported Platforms: macos
auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
Inputs:
None
Attack Commands: Run with bash!
1
2
echo ifconfig | pbcopy
$(pbpaste)