CircleCI Atomic Red Team doc generator
54 lines
1.5 KiB
Markdown
54 lines
1.5 KiB
Markdown
# T1115 - Clipboard Data
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1115)
|
|
<blockquote>Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
|
|
|
|
===Windows===
|
|
|
|
Applications can access clipboard data by using the Windows API. (Citation: MSDN Clipboard)
|
|
|
|
===Mac===
|
|
|
|
OSX provides a native command, <code>pbpaste</code>, to grab clipboard contents (Citation: Operating with EmPyre).
|
|
|
|
Detection: Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.
|
|
|
|
Platforms: Linux, macOS, Windows
|
|
|
|
Data Sources: API monitoring</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Utilize Clipboard to store or execute commands from](#atomic-test-1---utilize-clipboard-to-store-or-execute-commands-from)
|
|
|
|
- [Atomic Test #2 - PowerShell](#atomic-test-2---powershell)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Utilize Clipboard to store or execute commands from
|
|
Add data to clipboard to copy off or execute commands from.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `command_prompt`!
|
|
```
|
|
dir | clip
|
|
clip < readme.txt
|
|
```
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - PowerShell
|
|
Utilize PowerShell to echo a command to clipboard and execute it
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `powershell`!
|
|
```
|
|
echo Get-Process | clip
|
|
Get-Clipboard | iex
|
|
```
|
|
<br/>
|