T1113: Screen Capture
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen
, xwd
, or screencapture
.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_collection: PT-CR-498: Shadow_Screen_save: Detection of attempts to take a hidden screenshot of the screen
mitre_attck_collection: PT-CR-499: Shadow_Screen_saves_PowerShell: Detection of attempts to take multiple hidden screenshots of the screen via PowerShell
mitre_attck_collection: PT-CR-783: RDP_Shadow_Session: Use of a shadow RDP connection is detected
Detection
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation. |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as |
---|