🍎

T1115

Clipboard Data

Description from ATT&CK

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

For example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).(Citation: mining_ruby_reversinglabs)

macOS and Linux also have commands, such as pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)

Tests

Test #1 - Get clipboard content (using System Events)

Retrieves the current clipboard content using System Events.

⚠️ TCC Required 
tell application "System Events" to get the clipboard

Download Files

Download .scpt Download .swift Download Binary Download Application Bundle

Test #2 - Set clipboard content (using System Events)

Sets the clipboard content to a specified value using System Events.

⚠️ TCC Required

Input Arguments:

ArgumentTypeDefault Value
clipboardContentstrHello, world!
tell application "System Events" to set the clipboard to "Hello, world!"

Download Files

Download .scpt Download .swift Download Binary Download Application Bundle

Test #3 - Get clipboard content (using AppleScript defaults)

Retrieves the current clipboard content using AppleScript's built-in clipboard command.

the clipboard

Download Files

Download .scpt Download .swift Download Binary Download Application Bundle

Test #4 - Set clipboard content (using AppleScript defaults)

Sets the clipboard content to a specified value using AppleScript's built-in clipboard command.

Input Arguments:

ArgumentTypeDefault Value
textContentstrHello, world!
set the clipboard to "Hello, world!"

Download Files

Download .scpt Download .swift Download Binary Download Application Bundle

Test #5 - Get clipboard content (using Cocoa)

Retrieves clipboard content using Cocoa frameworks (Foundation and AppKit).

use framework "Foundation"
use framework "AppKit"

set pasteboard to current application's NSPasteboard's generalPasteboard()
set clipboardContent to pasteboard's stringForType:"public.utf8-plain-text"
clipboardContent

Download Files

Download .scpt Download .swift Download Binary Download Application Bundle

Test #6 - Set clipboard content (using Cocoa)

Sets clipboard content using Cocoa frameworks (Foundation and AppKit).

Input Arguments:

ArgumentTypeDefault Value
textContentstrHello, world!
use framework "Foundation"
use framework "AppKit"

set pasteboard to current application's NSPasteboard's generalPasteboard()
pasteboard's setString:"Hello, world!" forType:"public.utf8-plain-text"

Download Files

Download .scpt Download .swift Download Binary Download Application Bundle

References

T1113

Input Capture

T1120

Peripheral Device Discovery

On this page

Description from ATT&CK
Tests
Test #1 - Get clipboard content (using System Events)
Test #2 - Set clipboard content (using System Events)
Test #3 - Get clipboard content (using AppleScript defaults)
Test #4 - Set clipboard content (using AppleScript defaults)
Test #5 - Get clipboard content (using Cocoa)
Test #6 - Set clipboard content (using Cocoa)
References