security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1115/T1115.md
T
CircleCI Atomic Red Team doc generator 65fd85dd3c Generate docs from job=validate_atomics_generate_docs branch=uppercase-everything
2018-05-23 23:09:31 +00:00

1.5 KiB
Raw Blame History

T1115 - Clipboard Data

Description from ATT&CK

Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.

===Windows===

Applications can access clipboard data by using the Windows API. (Citation: MSDN Clipboard)

===Mac===

OSX provides a native command, pbpaste, to grab clipboard contents (Citation: Operating with EmPyre).

Detection: Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.

Platforms: Linux, macOS, Windows

Data Sources: API monitoring

Atomic Tests


Atomic Test #1 - Utilize Clipboard to store or execute commands from

Add data to clipboard to copy off or execute commands from.

Supported Platforms: Windows

Run it with command_prompt!

dir | clip
clip < readme.txt


Atomic Test #2 - PowerShell

Utilize PowerShell to echo a command to clipboard and execute it

Supported Platforms: Windows

Run it with powershell!

echo Get-Process | clip
Get-Clipboard | iex

Reference in New Issue View Git Blame Copy Permalink