T1115 - Clipboard Data
Tactics:
Collection
Collection
Platforms:
Linux macOS Windows
Linux macOS Windows
Detection:
Not specified
Not specified
Description:
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
For example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs)
macOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)
For example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs)
macOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)
Used by Actors (3)
Malware (20)
PAKLOG other
Zeus Panda other
InvisibleFerret other
BOOKWORM other
CosmicDuke other
Machete other
FlawedAmmyy other
Mispadu other
VERMIN other
MarkiRAT other
DarkComet other
CHIMNEYSWEEP other
DarkTortilla other
ROKRAT other
RunningRAT other
Explosive other
Clambling other
DarkGate other
Metamorfo other
KONNI other
Metadata
| MITRE ID: | T1115 |
| STIX ID: | attack-pattern--30973a08-aed9-... |
| Platforms: | Linux, macOS, Windows |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 16:00 |