Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Clipboard Data

Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.

Windows

Applications can access clipboard data by using the Windows API. [1]

Mac

OSX provides a native command, pbpaste, to grab clipboard contents [2].

ID: T1115

Tactic: Collection

Platform:  Linux, Windows, macOS

Data Sources:  API monitoring

Version: 1.0

Examples

NameDescription
Catchamas

Catchamas steals data stored in the clipboard.[3]

CosmicDuke

CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.[4]

Helminth

The executable version of Helminth has a module to log clipboard contents.[5]

JHUHUGIT

A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.[6]

Koadic

Koadic can retrieve the current content of the user clipboard.[7]

MacSpy

MacSpy can steal clipboard contents.[8]

RTM

RTM collects data from the clipboard.[9]

RunningRAT

RunningRAT contains code to open and copy data from the clipboard.[10]

TinyZBot

TinyZBot contains functionality to collect information from the clipboard.[11]

VERMIN

VERMIN collects data stored in the clipboard.[12]

Mitigation

Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting [13] tools, like AppLocker, [14] [15] or Software Restriction Policies [16] where appropriate. [17]

Detection

Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.

References