MITRE ATT&CK Technique
Collection
T1115
Description
Adversaries may collect data stored in the clipboard from users copying information within or between applications. For example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs) macOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)
Supported Platforms
Linux
macOS
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:31:25.967Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may collect data stored in the clipboard from '
'users copying information within or between applications. \n'
'\n'
'For example, on Windows adversaries can access clipboard data '
'by using <code>clip.exe</code> or '
'<code>Get-Clipboard</code>.(Citation: MSDN '
'Clipboard)(Citation: clip_win_server)(Citation: '
'CISA_AA21_200B) Additionally, adversaries may monitor then '
'replace users’ clipboard with their data (e.g., [Transmitted '
'Data '
'Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: '
'mining_ruby_reversinglabs)\n'
'\n'
'macOS and Linux also have commands, such as '
'<code>pbpaste</code>, to grab clipboard contents.(Citation: '
'Operating with EmPyre)',
'external_references': [{'external_id': 'T1115',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1115'},
{'description': 'CISA. (2021, August 20). Alert '
'(AA21-200B) Chinese State-Sponsored '
'Cyber Operations: Observed TTPs. '
'Retrieved June 21, 2022.',
'source_name': 'CISA_AA21_200B',
'url': 'https://www.cisa.gov/uscert/ncas/alerts/aa21-200b'},
{'description': 'Maljic, T. (2020, April 16). Mining '
'for malicious Ruby gems. Retrieved '
'October 15, 2022.',
'source_name': 'mining_ruby_reversinglabs',
'url': 'https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems'},
{'description': 'Microsoft, JasonGerend, et al. '
'(2023, February 3). clip. Retrieved '
'June 21, 2022.',
'source_name': 'clip_win_server',
'url': 'https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip'},
{'description': 'Microsoft. (n.d.). About the '
'Clipboard. Retrieved March 29, 2016.',
'source_name': 'MSDN Clipboard',
'url': 'https://msdn.microsoft.com/en-us/library/ms649012'},
{'description': 'rvrsh3ll. (2016, May 18). Operating '
'with EmPyre. Retrieved July 12, '
'2017.',
'source_name': 'Operating with EmPyre',
'url': 'https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363'}],
'id': 'attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'collection'}],
'modified': '2025-10-24T17:48:36.079Z',
'name': 'Clipboard Data',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.2'}