|Platform||Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1|
|Data Sources||API monitoring|
Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
Applications can access clipboard data by using the Windows API.1
- TinyZBot contains functionality to collect information from the clipboard.2
- CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.3
Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting4 tools, like AppLocker,56 or Software Restriction Policies7 where appropriate.8
Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.
- Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.
- Cylance. (2014, December). Operation Cleaver. Retrieved December 4, 2014.
- F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.