Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework
00:05
discussion. So today we're looking at clipboard data, and now right out the gate doesn't seem very interesting. All right. But I do have a little surprise for you that I thought was kind of neat.
00:18
And so we'll go through that together today as well. So we're really going to look at what clipboard data is with respect to the minor attack framework. We've got a little example that we're gonna tug into here and talk about mitigation techniques and the detection techniques as well. Now, as faras miter is concerned,
00:36
click more data is when a threat actor will attempt to collect data stored in windows Clipboard. It could also be on Max. It could be on really anything that has a clipboard.
00:45
Now with windows, the application conexes clipboard data by using the windows. A p i A *** provides a native command PB paste to grab clipboard content. Now, you're probably thinking, Really what? What could possibly be be useful here?
01:02
And so I thought the same thing I was like, Really, what is the application of this and what can we do with it?
01:07
So I went on a little adventure, and I took some time to play around with, ah, few things to try and figure out. The scenario here was getting the secret to the perfect cheesecakes, and my grandmother uses my computer. This is all fictitious, and she is trying to
01:26
essentially
01:27
find to her recipe. And I'm curious because she doesn't tell me what she's doing.
01:32
And so I figured I would make something that could help me take clipboard information from my computer when she's using it. Now. There are some things here that won't lined out with respect to getting to this point, because she would actually have to interact with something. But let's go from the top. So I created a Power Shell script, and that script
01:51
will essentially
01:53
change the directory to my downloads, and it will run the following command, get clipboard and out, put it to a clipboard dot text document, and then it will exit and leave.
02:05
Now, for those of you that know how power shell works, I can't just create ah script
02:10
and run it.
02:12
You can't double click this and it runs. You have to have something else. A mechanism that makes it run. And so in that case, we created a shortcut to
02:23
open power shell and then execute the script by feeding it into power show. Now, the cool thing here is that my anti virus actually said, Hey, you've got something that's not behaving correctly. It's kind of being sneaky And it opted to quarantine
02:40
that power shell script. So I thought that was kind of cool, because that means that one, you know, my system, even with free antivirus, is doing what it should do to try and protect me from things that I shouldn't be messing with. But the good news is, is that you know this even though there are not always mitigating factors that block these types of things
02:59
we do have, even at the free level anti virus products that seem to be able to detect this stuff in block it, which makes me feel good.
03:07
But I went ahead and disabled. This are white list of this particular script in this case so that I could try to get this secret
03:15
now the way a threat actor might use this is they might take this shortcut and turn it into something that seems beneficial or enticing to the user
03:24
could be that I have named it something like secret cheesecake recipes or whatever the case may be. And I placed it out there somewhere and someone clicked on it after maybe doing some Web surfing or whatever the case may be. And when it outputs, you'll see here that I actually got it to output the clipboard information concerning the last
03:45
thing that was copied and pasted well,
03:47
the user was long thin. Now there are some potential other use cases for this, like putting it in a running task. Any time
03:57
an individual goes to open Internet Explorer, when a certain process runs, you could really do some custom activities or custom behaviors that would cause this to fire off. But this is just, ah, high level use case for what could happen here with
04:13
the clipboard functions in our system. And again,
04:17
chances are, if it behaves in the same manner that my script was behaving, then it is likely that a good and a virus will block the behavior in deem it suspicious. So I thought that was cool. I hope you enjoyed that as much as I enjoyed putting it together now mitigation techniques
04:35
We do indicate here in user awareness training, because provider this is a tough activity to identify. The good news is, is that an A virus? And things of that nature that has a decent behavior analysis or behavior kind of flagging component will likely catch some of these activities.
04:55
But more sophisticated threat actors may have some techniques that make this run a little less,
05:00
um, forcefully, a little less. You know, Mom wasn't exactly what I would call graceful, because we cannot do it together for examples sake. But sophisticated threat actors would likely right, very complex and sophisticated scripts and code Teoh maybe circumvent some of those areas.
05:17
But in user awareness training, we can never go wrong with that. Now, from a detection standpoint, you're going to need to look for suspicious behavior patterns that indicate a threat actor, maybe on the networker system. So what this is getting back to is, is that you're going to be looking at broader data sets in order to
05:35
tied activities into what would be
05:39
a threat actor, either moving laterally, trying to run scripts, trying to gather information, and so those were really going to be your primary detection techniques. And so again, as we get into some of these other areas of the attack framework in some of these factors,
05:53
it's really coming down to a dependency more and more on human intervention and human analysis. Where is in some of the earlier phases, we may be able to get away with using some automated methods to provide detection services in mitigation services.
06:08
Now
06:09
let's do a check on learning true or false clipboard data is the data that a user copies likely with the intent to move it to another location or application?
06:23
All right, if you need additional time, please take a moment.
06:27
In this instance, this is a true statement. Clipboard data is when a user copies information with the intent to move it to another location or application to generally paste it in. So that is true.
06:39
So in summary of today's discussion,
06:42
we described clipboard data.
06:45
We looked at a high level example, wedged in here on how to use scripting to pull clipboard information. Potentially, we talked mitigation techniques and we talked detection techniques. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again. Since

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor