AN0966: Analytic 0966
Detection of pbpaste/pbcopy clipboard access by processes without terminal sessions or linked to launch agents, potentially staged for collection.
Analyst context for executives and security teams
This analytic matters because macOS clipboard access can expose sensitive business data such as credentials, tokens, customer information, or operational notes that users temporarily copy and paste. The ATT&CK object focuses on detecting pbpaste or pbcopy use by processes that do not look like normal interactive terminal activity, including processes associated with launch agents. For leaders, the value is not assuming clipboard monitoring is covered by endpoint tooling, but verifying whether macOS telemetry can distinguish routine user behavior from background collection-like behavior.
Executive priority
Prioritize this as a macOS endpoint visibility and incident-readiness question. Security leaders should ask whether the organization can prove when clipboard utilities are invoked by non-interactive processes, whether launch-agent activity is monitored, and whether SOC playbooks treat suspicious clipboard access as potential sensitive-data exposure. This supports business continuity and compliance evidence by validating visibility over a common user workflow where secrets and regulated data may be temporarily present.
Technical view
SOC and detection teams should validate macOS coverage for process execution involving pbpaste and pbcopy, especially where the parent or execution context lacks a terminal session or is linked to launch agents. Because the official object provides no detection logic, teams should build or review analytics around process lineage, user session context, launch-agent execution, command-line visibility where available, and timing patterns that suggest background access rather than deliberate user terminal activity. Triage should focus on the initiating process, launch-agent persistence context, user account, recent clipboard-related behavior, and whether the activity aligns with approved automation.
Likely telemetry
- macOS process execution events for pbpaste and pbcopy
- Process parent/child lineage and initiating process metadata
- User session or terminal association context
- Launch agent configuration and execution telemetry
- Command-line arguments where collected
Detection direction
- Confirm whether endpoint telemetry captures pbpaste and pbcopy execution on macOS with enough process lineage to distinguish terminal-launched activity from background processes.
- Tune detections to emphasize non-terminal execution contexts and launch-agent-linked activity, as described by the ATT&CK analytic.
- Account for benign automation, management scripts, developer workflows, and accessibility or productivity tools that may interact with the clipboard.
- Correlate suspicious clipboard utility execution with persistence-related launch-agent evidence and user context before escalating.
- Document visibility gaps where command line, parent process, or session context is unavailable, because those fields are likely to decide analytic quality.
Mitigation priorities
- Establish baseline macOS endpoint logging for process execution, user session context, and launch-agent activity.
- Restrict or review unauthorized launch agents through standard endpoint hardening and configuration management practices.
- Define SOC triage procedures for suspicious clipboard utility activity, including sensitivity review and user validation.
- Reduce clipboard exposure of secrets through security awareness and approved secret-management workflows where applicable.
- Use findings from detection validation to inform macOS hardening, compliance evidence, and incident response readiness.
Analyst notes and limits
This is a detection analytic, not a full ATT&CK technique object. The supplied fields identify macOS as the platform and describe suspicious pbpaste/pbcopy clipboard access by processes without terminal sessions or linked to launch agents. No tactics, relationships, adversary usage, or official detection logic were supplied, so the take focuses on defensive validation rather than specific threat claims.
The object has no official detection text and no relationship context. Local telemetry availability, endpoint tooling, macOS configuration, and normal user workflows are required to determine feasibility, tuning, and alert severity. This summary does not assert active exploitation, attribution, impact, or guaranteed detection coverage.
Analytic 0966
Detection of pbpaste/pbcopy clipboard access by processes without terminal sessions or linked to launch agents, potentially staged for collection.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cc7e9355bc9b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0966Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.