EXPLORE

← Back to Explore

T1115

Clipboard Data

Adversaries may collect data stored in the clipboard from users copying information within or between applications. For example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citatio...

LinuxmacOSWindows

15

Detections

3

Sources

3

Threat Actors

BY SOURCE

7sigma4elastic4splunk_escu

PROCEDURES (8)

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

Script Block1 detections

Auto-extracted: 1 detections for script block

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Powershell1 detections

Auto-extracted: 1 detections for powershell

THREAT ACTORS (3)

APT38 APT39 OilRig

DETECTIONS (15)

Clipboard Collection of Image Data with Xclip Tool

Clipboard Collection with Xclip Tool

Clipboard Collection with Xclip Tool - Auditd

Clipboard Data Collection Via OSAScript

Data Copied To Clipboard Via Clip.EXE

Linux Auditd Clipboard Data Copy

Linux Clipboard Activity Detected

Linux Clipboard Data Copy

Pbpaste Execution via Unusual Parent Process

PowerShell Get Clipboard

PowerShell Get-Clipboard Cmdlet Via CLI

PowerShell Suspicious Script with Clipboard Retrieval Capabilities

Suspicious pbpaste High Volume Activity

Windows ClipBoard Data via Get-ClipBoard

Windows Post Exploitation Risk Behavior