EXPLORE
Sign In
← Back to Explore
T1113

Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

LinuxmacOSWindows
18
Detections
3
Sources
19
Threat Actors

BY SOURCE

10sigma5splunk_escu3elastic

PROCEDURES (11)

Registry3 detections

Auto-extracted: 3 detections for registry

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Remote1 detections

Auto-extracted: 1 detections for remote

Script Block1 detections

Auto-extracted: 1 detections for script block

Remote1 detections

Auto-extracted: 1 detections for remote

Credential1 detections

Auto-extracted: 1 detections for credential

Registry1 detections

Auto-extracted: 1 detections for registry

Remote1 detections

Auto-extracted: 1 detections for remote

Credential1 detections

Auto-extracted: 1 detections for credential

THREAT ACTORS (19)

APT28APT39APT42BRONZE BUTLERDark CaracalDragonflyFIN7Gamaredon GroupGOLD SOUTHFIELDGroup5KimsukyMagic HoundMoustachedBouncerMuddyWaterOilRigSilenceVOID MANTICOREVolt TyphoonWinter Vivern

DETECTIONS (18)

Linux Video Recording or Screenshot Activity Detected
elasticlow
Periodic Backup For System Registry Hives Enabled
sigmamedium
Potential Remote Desktop Shadowing Activity
elastichigh
PowerShell Suspicious Script with Screenshot Capabilities
elastichigh
Remcos RAT File Creation in Remcos Folder
splunk_escu
Screen Capture - macOS
sigmalow
Screen Capture Activity Via Psr.EXE
sigmamedium
Screen Capture with Import Tool
sigmalow
Screen Capture with Xwd
sigmalow
Suspicious Image Creation In Appdata Folder
splunk_escu
Suspicious WAV file in Appdata Folder
splunk_escu
System Drawing DLL Load
sigmalow
Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
sigmamedium
Windows Recall Feature Enabled - Registry
sigmamedium
Windows Recall Feature Enabled Via Reg.EXE
sigmamedium
Windows Screen Capture in TEMP folder
splunk_escu
Windows Screen Capture Via Powershell
splunk_escu
Windows Screen Capture with CopyFromScreen
sigmamedium