Clipboard Data

From ATT&CK
Jump to: navigation, search
Clipboard Data
Technique
ID T1115
Tactic Collection
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Data Sources API monitoring

Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.

Applications can access clipboard data by using the Windows API.1

Examples

  • TinyZBot contains functionality to collect information from the clipboard.2
  • CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.3
  • RTM collects data from the clipboard.4

Mitigation

Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting5 tools, like AppLocker,67 or Software Restriction Policies8 where appropriate.9

Detection

Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.