Clipboard Data

From enterprise
Jump to: navigation, search
Clipboard Data
ID T1115
Tactic Collection
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X
Data Sources API monitoring

Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.


Applications can access clipboard data by using the Windows API.1


OSX provides a native command, pbpaste, to grab clipboard contents 2.


  • CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.3
  • RTM collects data from the clipboard.4
  • TinyZBot contains functionality to collect information from the clipboard.5


Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting6 tools, like AppLocker,78 or Software Restriction Policies9 where appropriate.10


Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.