Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0341: Clipboard Data Access with Anomalous Context

DET0341 is a detection strategy for identifying suspicious access to clipboard contents in anomalous contexts. Its business significance is that clipboards...

EnterpriseDET0341Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0341 is a detection strategy for identifying suspicious access to clipboard contents in anomalous contexts. Its business significance is that clipboards often contain transient but sensitive data such as credentials, tokens, commands, customer data, or operational notes. Because the ATT&CK object has no official detection text or platform field of its own, its practical value comes from its relationship to T1115 Clipboard Data, a collection technique on Linux, macOS, and Windows.

Executive priority

Treat clipboard-data monitoring as a targeted control validation area where credential exposure, privacy obligations, and incident scoping matter. Leaders should ask whether endpoints that handle privileged administration, sensitive business workflows, or regulated data provide enough evidence to determine when clipboard contents are accessed unexpectedly. This is most relevant to SOC readiness, incident response evidence quality, identity risk reduction, and audit narratives around protection of sensitive data in user workstations.

Technical view

Validate this strategy against the related ATT&CK technique T1115 Clipboard Data under the collection tactic. Detection engineering should focus on anomalous context rather than any clipboard access alone: unusual processes, unexpected parent-child process relationships, scripting or command-line utilities accessing clipboard data, access by remote-session tooling, access shortly after sensitive copy events, or clipboard access from processes that do not normally need it. Because the object provides no official detection logic, teams must derive baselines from local endpoint behavior and confirm coverage separately for Windows, macOS, and Linux where those platforms are in scope via the related technique.

Likely telemetry

  • Endpoint process creation and command-line telemetry
  • Parent-child process lineage
  • Endpoint security or EDR events that record clipboard access or related API/utility usage
  • User session context, including interactive versus remote sessions
  • Application identity and code-signing or binary reputation metadata

Detection direction

  • Build detections around abnormal clipboard access context, not generic clipboard use, to reduce false positives from legitimate productivity applications.
  • Prioritize high-risk users and systems, such as administrator workstations, developer systems, help desk endpoints, and systems used for regulated data workflows.
  • Tune baselines per operating system and business role because normal clipboard behavior varies heavily by application and user workflow.
  • Correlate clipboard access with suspicious process execution, scripting, remote access, credential prompts, or other collection behavior when available.
  • Document visibility gaps explicitly, especially where endpoint tooling does not expose clipboard-access events or where only process execution telemetry is available.

Mitigation priorities

  • Confirm whether endpoint monitoring can observe clipboard-related behavior on the Linux, macOS, and Windows systems in scope for T1115.
  • Reduce unnecessary exposure of sensitive data in clipboards through user guidance, privileged workflow design, and password/token handling practices.
  • Prioritize hardened administration workstations and identity-sensitive workflows before attempting broad alerting across all endpoints.
  • Use application control, least privilege, and endpoint hardening to limit untrusted or unnecessary tools that may access user data.
  • Ensure incident response playbooks include questions about copied credentials, tokens, commands, or sensitive records when clipboard collection is suspected.
Analyst notes and limits

The supplied ATT&CK detection strategy object is sparse: it has a name and external reference but no official description, detection text, tactics, platforms, labels, or aliases. The strongest supported context is its relationship to T1115 Clipboard Data, which is a collection technique affecting Linux, macOS, and Windows. Any production detection should be validated against local endpoint telemetry and normal business workflows.

This take does not assert active exploitation, actor usage, guaranteed detection coverage, or vendor-specific capability. Platform and tactic context are taken from the related T1115 technique, not from DET0341 itself. Local telemetry availability will determine whether this strategy is actionable.

Official MITRE ATT&CK definition

Clipboard Data Access with Anomalous Context

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1115 Clipboard Data This object detects Clipboard Data.
Relationship explorer

All related ATT&CK context

detects · Technique T1115: Clipboard Data Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
174481381475a3c6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 174481381475…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0341
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use