Clipboard Data

From enterprise
Jump to: navigation, search
Clipboard Data
ID T1115
Tactic Collection
Platform Linux, macOS, Windows
Data Sources API monitoring

Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.


Applications can access clipboard data by using the Windows API.1


OSX provides a native command, pbpaste, to grab clipboard contents 2.


  • CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.3
  • The executable version of Helminth has a module to log clipboard contents.4
  • A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.5
  • RTM collects data from the clipboard.6
  • TinyZBot contains functionality to collect information from the clipboard.7


Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting8 tools, like AppLocker,910 or Software Restriction Policies11 where appropriate.12


Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.