Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0965: Analytic 0965

Detection of clipboard access via OS utilities (e.g., clip.exe, Get-Clipboard) by non-interactive or abnormal parent processes, potentially chained with staging or exfiltration commands.

EnterpriseAN0965AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because clipboard access can expose sensitive business data that users copy during normal work, including credentials, tokens, customer data, or operational details. The ATT&CK object is limited to Windows and focuses on OS utilities such as clip.exe and Get-Clipboard being launched by non-interactive or abnormal parent processes, especially when activity is chained with staging or exfiltration-like commands. For leaders, the value is not assuming clipboard monitoring is covered, but confirming whether endpoint telemetry can show when clipboard utilities are used in unusual automation or post-compromise contexts.

Executive priority

Prioritize this as a validation item for Windows endpoint visibility and incident response readiness. The business decision is whether the organization can detect abnormal access to clipboard contents before copied secrets or sensitive data become part of a broader staging or exfiltration sequence. Security leaders should ask whether SOC playbooks distinguish normal administrative or user clipboard use from suspicious non-interactive execution, and whether this evidence can support investigation, audit, and data-handling reviews.

Technical view

For SOC and detection engineering teams, validate Windows telemetry for process execution involving clip.exe and PowerShell Get-Clipboard, with attention to parent process context, interactive versus non-interactive execution, command chaining, and nearby staging or exfiltration-oriented commands. Because the official object does not provide a detection query or tactic mapping, local baselining is required to define what counts as an abnormal parent process in the environment. IR teams should treat matches as context-building evidence rather than standalone proof of theft, then pivot to process ancestry, user session state, command lines, file writes, network activity, and related endpoint events.

Likely telemetry

  • Windows process creation events, including image name, command line, parent process, user, and session context
  • PowerShell execution telemetry showing Get-Clipboard usage where available
  • Endpoint detection and response process ancestry and command-chain data
  • User logon/session context to distinguish interactive from non-interactive execution
  • File creation or modification telemetry that may indicate staging after clipboard access

Detection direction

  • Create or validate logic for clip.exe and PowerShell Get-Clipboard execution on Windows with emphasis on abnormal parent processes and non-interactive contexts.
  • Baseline legitimate administrative, scripting, and helpdesk use to reduce false positives.
  • Correlate clipboard utility execution with staging indicators such as file writes, archive creation, or command chaining when available.
  • Correlate with possible exfiltration-adjacent telemetry such as outbound connections or transfer utilities, without treating correlation alone as confirmed exfiltration.
  • Review blind spots where PowerShell logging, command-line capture, parent process visibility, or EDR telemetry is incomplete.

Mitigation priorities

  • Ensure Windows endpoint logging captures process creation, command lines, parent process relationships, and user/session context.
  • Enable and retain relevant PowerShell telemetry where appropriate for the environment.
  • Tune monitoring around non-interactive execution paths, automation accounts, scheduled tasks, service accounts, and remote management contexts.
  • Limit unnecessary access to sensitive data copied to clipboards through broader data handling, least privilege, and identity controls.
  • Use incident response procedures to investigate suspicious clipboard utility use in sequence with staging or transfer activity rather than in isolation.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique description. It provides a concise analytic description for Windows clipboard access via OS utilities and mentions abnormal or non-interactive parent processes plus potential chaining with staging or exfiltration commands. No relationships, tactic mapping, official detection query, aliases, or labels were supplied, so this take focuses on defensive validation and telemetry coverage rather than threat attribution or confirmed impact.

This assessment is constrained to the supplied official fields and external reference. It does not establish active exploitation, adversary attribution, guaranteed detection, or applicability beyond Windows. Local baselines are required to define abnormal parent processes, acceptable administrative use, and whether telemetry is complete enough for reliable alerting.

Official MITRE ATT&CK definition

Analytic 0965

Detection of clipboard access via OS utilities (e.g., clip.exe, Get-Clipboard) by non-interactive or abnormal parent processes, potentially chained with staging or exfiltration commands.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9b73ba30d07d36ab...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9b73ba30d07d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0965
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use