Clipboard Data

Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.

Windows

Applications can access clipboard data by using the Windows API. [1]

Mac

OSX provides a native command, pbpaste, to grab clipboard contents [2].

ID: T1115
Tactic: Collection
Platform: Linux, Windows, macOS
Data Sources: API monitoring
CAPEC ID: CAPEC-637
Version: 1.0

Procedure Examples

Name Description
Agent Tesla Agent Tesla can steal data from the victim’s clipboard. [9] [10] [11]
APT38 APT38 used a Trojan called KEYLIME to collect data from the clipboard. [26]
Astaroth Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. [21]
Catchamas Catchamas steals data stored in the clipboard. [6]
CosmicDuke CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds. [15]
DarkComet DarkComet can steal data from the clipboard. [19]
Empire Empire can harvest clipboard data on both Windows and macOS systems. [5]
Helminth The executable version of Helminth has a module to log clipboard contents. [13]
JHUHUGIT A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image. [7]
jRAT jRAT can capture clipboard data. [23]
Koadic Koadic can retrieve the current content of the user clipboard. [3]
KONNI KONNI had a feature to steal data from the clipboard. [20]
Machete Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events. [24] [25]
MacSpy MacSpy can steal clipboard contents. [12]
Remcos Remcos steals and modifies data from the clipboard. [4]
Remexi Remexi collects text from the clipboard. [22]
RTM RTM collects data from the clipboard. [8]
RunningRAT RunningRAT contains code to open and copy data from the clipboard. [14]
TinyZBot TinyZBot contains functionality to collect information from the clipboard. [17]
VERMIN VERMIN collects data stored in the clipboard. [18]
Zeus Panda Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect. [16]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.

References