One of the fascinating aspects of Windows systems, from a DF/IR perspective, for me has been the clipboard. Notice I said, “one of”, rather than “the”…that’s because there are a lot of fascinating aspects of Windows systems when it comes to DF/IR work. I include the clipboard in this mostly because there is various malware…infostealers, etc…that will dump the contents of the clipboard as part of their functionality. Also, there’s malware that will place a malicious bitcoin wallet address on the clipboard, in hopes that the user simply pastes that address when they’re enabling a transaction. I mention malware that modifies the clipboard in this 2008 blog post.
I’ll admit that early on in my DF/IR career, this isn’t something that I thought about collecting as part of an IR engagement. Even when we were using batch files to run native tools from a USB stick or CD-ROM drive, I don’t remember including the capability to dump the clipboard, nor even having the discussion to do so. This may be because we weren’t seeing anything…any data, or malware analysis…that would indicate that this was something we needed to be concerned about. Even back as far as 2007 or 2008-ish, I don’t remember seeing any malware on PCI engagements, for example, that showed any signs of interacting with the clipboard.
However, now, there’s even a MITRE ATT&CK technique, T1115, to address clipboard data. The MITRE ATT&CK page for the technique lists more than a few examples of malware and groups that target the Windows clipboard for data.
I recently ran across a reference to a tool that’s been around for a while named ClipboardHistoryThief. According to the Github site for the tool, it’s been around for about 3 yrs. After reading a bit about the ClipboardHistoryThief app, I decided to take a look at what I might have on my clipboard, so I hit the Windows logo key + V key combo, and the image seen in Figure 1 appeared on my desktop.
| This article has been indexed from Windows Incident Response
Read the original article: Post navigation |