|Platform||Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X|
|Data Sources||API monitoring|
Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
Applications can access clipboard data by using the Windows API.1
OSX provides a native command,
pbpaste, to grab clipboard contents 2.
- CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.3
- RTM collects data from the clipboard.4
- TinyZBot contains functionality to collect information from the clipboard.5
Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting6 tools, like AppLocker,78 or Software Restriction Policies9 where appropriate.10
Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.
- Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.
- rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.
- F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Cylance. (2014, December). Operation Cleaver. Retrieved December 4, 2014.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.