MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1115: Clipboard Data

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

For example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard. Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).

macOS and Linux also have commands, such as pbpaste, to grab clipboard contents.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_collection: PT-CR-491: Clipboard_Access: Detection of attempts to make a shadow copy of information copied to the clipboard
mitre_attck_collection: PT-CR-492: Clipboard_Access_Powershell: Detection of attempts to make a shadow copy of information copied to the clipboard via PowerShell

Detection

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments to collect data stored in the clipboard from users copying information within or between applications.