<\/p>\n
Author:<\/b> Adam Crompton, Senior Security Consultant<\/span><\/p>\n Introduction<\/b><\/span><\/p>\n The clipboard functionality of modern operating systems has been around for decades, implemented to provide the ability to take a bunch of 1\u2019s and 0\u2019s and store them temporarily.\u00a0 <\/span>In more common parlance, we know this as the functionality of Copy\/Paste, or CTRL-C\/CTRL-V.\u00a0 <\/span>In this relationship, the clipboard is the temporary storage for the items picked up by the copy operation, later to be retrieved by the paste operation. <\/span><\/p>\n The intent of this post is not to go on about clipboard functionality, but to make readers aware of the often ignored risk that comes with that functionality.<\/span><\/p>\n What is Invoke-ClipboardC2 and Why Was it Created<\/b><\/span><\/p>\n Over the past fifteen years InGuardians has had the privilege to help many amazing organizations secure their infrastructure. With each new engagement, our clients implement our recommendations and, over time, mature their security posture into a robust and responsive state.\u00a0 <\/span>In essence, our clients become more secure, more difficult to compromise.\u00a0 <\/span>This is exactly what we strive for but it also means that\u00a0 <\/span>for each subsequent penetration test to be successful InGuardians needs to constantly innovate. <\/span><\/p>\n On a recent assessment our operators were able to compromise the corporate Active Directory domain, granting us administrative access to the entire corporate network.\u00a0 <\/span>In this particular assessment, the corporate network was just the first step in compromising more restrictive networks.<\/span><\/p>\n With admin access to the corporate domain, our operators were able to determine that users were accessing the restricted network through a variety of methods including jumpboxes, split tunnel VPN, and Microsoft Remote Desktop (RDP).\u00a0 <\/span>We were also able to gain insight into the tools in use for connectivity to the target network, including password managers and two-factor authentication.<\/span><\/p>\n Users accessing the target network were leveraging password safes to store their credentials and using copy\/paste to insert the passwords into the login areas.\u00a0 <\/span>Because they were not \u2018typing\u2019 the passwords, traditional keystroke logging was not yielding its usual success.\u00a0 <\/span>We realized that access to the clipboard would allow us\u00a0 <\/span>access to a great amount of information missed by a keylogger, such as the copy\/paste of credentials and 2FA soft tokens, as well as the possibility to interact directly with the RDP session clipboard.\u00a0 <\/span>This is how Invoke-Clipboard was born. <\/span><\/p>\n What is Invoke-Clipboard?<\/b><\/span><\/p>\n Invoke-Clipboard<\/i> is a set of PowerShell tools that weaponizes the Windows clipboard.\u00a0 <\/span>Invoke-Clipboard<\/i> has two methods of being called; one for clipboard logging\/harvesting (Invoke-Clipboard Logger<\/i>) and the other for establishing a Command and Control (C2C) channel over the clipboard (Invoke-ClipboardC2C and Invoke-ClipboardC2V<\/i>).<\/span><\/p>\n How Invoke-Clipboard Works<\/b><\/span><\/p>\n Invoke-Clipboard Logger<\/i>\u2019s only function is to read from the clipboard and return results for anything that was sent to the clipboard either programmatically or by the user. This can be very useful on a Red Team assessment, as it helps operators profile the target\u2019s daily activities, steal credentials from password safes and any other data sent to the clipboard. In conjunction with a keylogger and timestamped screenshots,\u00a0 <\/span>attackers can now build a catalog of credentials and associated applications.\u00a0<\/span><\/p>\n \u00a0<\/span><\/span><\/p>\n Invoke-ClipboardC2V<\/i> is the clipboard parsing portion of the C2 running on the victim. This is the script that is deployed on the victim to capture new commands sent by Invoke-ClipboardC2C<\/i>, execute them on the victim system and return the output to the clipboard for retrieval by Invoke-ClipboardC2C<\/i>.<\/span><\/p>\n Invoke-ClipboardC2C<\/i> is the client portion of the Command and Control (C2) infrastructure. After a command, the client will sleep until clipboard buffer has changed. Once the clipboard buffer has changed, the results are parsed and sent to the C2 operator.<\/span><\/p>\n Demo<\/b><\/span><\/p>\n