SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsOne of my favorite tools to use in a penetration test or red team engagement after exploiting a Windows 10 system: Get-Clipboard
Quick article today about one of my favorite tools to use in a penetration test or red-team engagement after exploiting a Windows 10 system: [code]Get-Clipboard[/code].
[code]Get-Clipboard[/code] retrieves the contents of the clipboard. It sounds pretty straightforward, but it can also be a big information disclosure threat. An attacker can gets access to the logged-in user session can setup a loop to capture and display the clipboard contents every time it changes. Here the 1-line PowerShell clipboard script I use:
$x=""; while($true) { $y=get-clipboard -raw; if ($x -ne $y) { Write-Host $y; $x=$y } ; Sleep 1 }
Let's break down this 1-line script piece-by-piece:
Running this command on a Windows host will reveal anything copied into the clipboard, but it particularly useful when the victim uses a password manager.
Password managers often make use of the clipboard to share password information between applications. Many clipboard managers will clear a password from the clipboard after a few minutes to prevent it from being disclosed, but an active attacker can interrogate the clipboard for password information very quickly.
Here's an example of this script in use on a macOS system against the 1Password password manager.
Attacks against the clipboard aren't new, and affects a lot of platforms. Where possible, avoid using the clipboard for sensitive data like passwords (use the password manager browser plugin where possible, for example). Otherwise, recognize the clipboard as a weak point in most operating systems, and conduct your incident response investigations accordingly.
-Joshua Wright
Return to Getting Started With PowerShell
Joshua Wright is the author of SANS SEC504: Hacker Tools, Techniques, and Incident Handling, a faculty fellow for the SANS Institute, and a senior technical director at Counter Hack.
Launched in 1989 as a cooperative for information security thought leadership, it is SANS’ ongoing mission to empower cyber security professionals with the practical skills and knowledge they need to make our world a safer place.
Read more about SANS Institute