EXPLORE
Sign In
← Back to Explore
T1113

Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

LinuxWindowsmacOS
17
Detections
3
Sources
18
Threat Actors

BY SOURCE

9sigma5splunk_escu3elastic

PROCEDURES (10)

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Registry3 detections

Auto-extracted: 3 detections for registry

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Remote1 detections

Auto-extracted: 1 detections for remote

Credential1 detections

Auto-extracted: 1 detections for credential

Registry1 detections

Auto-extracted: 1 detections for registry

Script Block1 detections

Auto-extracted: 1 detections for script block

Remote1 detections

Auto-extracted: 1 detections for remote

THREAT ACTORS (18)

APT28APT39APT42BRONZE BUTLERDark CaracalDragonflyFIN7Gamaredon GroupGOLD SOUTHFIELDGroup5KimsukyMagic HoundMoustachedBouncerMuddyWaterOilRigSilenceVolt TyphoonWinter Vivern

DETECTIONS (17)

Linux Video Recording or Screenshot Activity Detected
elasticlow
Periodic Backup For System Registry Hives Enabled
sigmamedium
Potential Remote Desktop Shadowing Activity
elastichigh
PowerShell Suspicious Script with Screenshot Capabilities
elastichigh
Remcos RAT File Creation in Remcos Folder
splunk_escu
Screen Capture - macOS
sigmalow
Screen Capture Activity Via Psr.EXE
sigmamedium
Screen Capture with Import Tool
sigmalow
Screen Capture with Xwd
sigmalow
Suspicious Image Creation In Appdata Folder
splunk_escu
Suspicious WAV file in Appdata Folder
splunk_escu
Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
sigmamedium
Windows Recall Feature Enabled - Registry
sigmamedium
Windows Recall Feature Enabled Via Reg.EXE
sigmamedium
Windows Screen Capture in TEMP folder
splunk_escu
Windows Screen Capture Via Powershell
splunk_escu
Windows Screen Capture with CopyFromScreen
sigmamedium