title: Clipboard Data (T1115)
id: df00tech-t1115
status: experimental
description: "Adversaries may collect data stored in the clipboard from users copying information within or between applications. On Windows, adversaries can read clipboard contents using PowerShell's Get-Clipboard cmdlet, the Win32 API functions OpenClipboard() and GetClipboardData(), or by invoking clip.exe in combination with scripting. macOS and Linux provide pbpaste and xclip/xsel utilities respectively. Clipboard content frequently contains high-value data including passwords copied from password managers, authentication tokens, cryptocurrency wallet addresses, PII, and internal URLs. Advanced malware such as Agent Tesla, RTM, Astaroth, CHIMNEYSWEEP, and DarkComet implement persistent clipboard monitoring loops that exfiltrate captured content, while crypto-clippers (a subclass) additionally replace clipboard content with attacker-controlled values to hijack cryptocurrency transactions."
references:
  - https://attack.mitre.org/techniques/T1115/
  - https://df00tech.com/detections/T1115
author: df00tech
date: 2026/04/18
tags:
  - attack.t1115
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Password managers (KeePass, Bitwarden, 1Password) auto-clearing clipboard after paste using scripts or scheduled tasks"
  - Remote Desktop Protocol (RDP) and virtual desktop infrastructure (VDI) clipboard synchronization agents running as background services
  - "Legitimate clipboard manager utilities (Ditto, ClipX, CopyQ, Paste) that monitor and log clipboard history for productivity"
  - "Accessibility software and screen readers (NVDA, JAWS, Windows Narrator) that access clipboard content for reading aloud"
  - "Development and testing automation frameworks (Selenium, AutoHotkey, PyAutoGUI) using clipboard for UI automation workflows"
  - Help desk and IT tools that read clipboard content for ticketing or remote assistance purposes
level: medium