sigmamediumHunting

Windows Screen Capture with CopyFromScreen

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations

MITRE ATT&CK

T1113

collection

Detection Query

selection:
  ScriptBlockText|contains: .CopyFromScreen
condition: selection

Author

frack113

Created

2021-12-28

Data Sources

windowsps_script

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen

Tags

attack.collectionattack.t1113

Raw Content

title: Windows Screen Capture with CopyFromScreen
id: d4a11f63-2390-411c-9adf-d791fd152830
status: test
description: |
    Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.
    Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen
author: frack113
date: 2021-12-28
modified: 2022-07-07
tags:
    - attack.collection
    - attack.t1113
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: '.CopyFromScreen'
    condition: selection
falsepositives:
    - Unknown
level: medium