Find sigma rule

Attack: Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

MITRE

Tactic

collection

technique

T1113

Test : Windows Screencapture

OS

windows

Description:

Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour

Executor

powershell

Sigma Rule

posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)
proc_creation_win_psr_capture_screenshots.yml (id: 2158f96f-43c2-43cb-952a-ab4580f32382)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test