Windows Screen Capture Via Powershell

name: Windows Screen Capture Via Powershell
id: 5e0b1936-8f99-4399-8ee2-9edc5b32e170
version: 14
creation_date: '2023-04-05'
modification_date: '2026-05-13'
author: Teoderick Contreras, Splunk
status: production
type: TTP
description: The following analytic detects the execution of a PowerShell script designed to capture screen images on a host. It leverages PowerShell Script Block Logging to identify specific script block text patterns associated with screen capture activities. This behavior is significant as it may indicate an attempt to exfiltrate sensitive information by capturing desktop screenshots. If confirmed malicious, this activity could allow an attacker to gather visual data from the compromised system, potentially leading to data breaches or further exploitation.
data_source:
    - Powershell Script Block Logging 4104
search: |-
    `powershell`
    EventCode=4104
    ScriptBlockText IN (
        "*[Drawing.Graphics]::FromImage*",
        "*Drawing.Bitmap*",
        "*Graphics.FromImage*"
    )
    ScriptBlockText = "*.CopyFromScreen*"
    | fillnull
    | stats count min(_time) as firstTime max(_time) as lastTime
      BY dest signature signature_id
         user_id vendor_product EventID
         Guid Opcode Name
         Path ProcessID ScriptBlockId
         ScriptBlockText
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_screen_capture_via_powershell_filter`
how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
known_false_positives: No false positives have been identified at this time.
references:
    - https://twitter.com/_CERT_UA/status/1620781684257091584
    - https://cert.gov.ua/article/3761104
drilldown_searches:
    - name: View the detection results for - "$Computer$"
      search: '%original_detection_search% | search  Computer = "$Computer$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$Computer$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: A PowerShell script was identified possibly performing screen captures on $dest$.
    entity:
        field: dest
        type: system
        score: 50
analytic_story:
    - APT37 Rustonotto and FadeStealer
    - Winter Vivern
    - Water Gamayun
    - BlankGrabber Stealer
asset_type: Endpoint
mitre_attack_id:
    - T1113
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog
      test_type: unit