Find sigma rule
Attack: Screen Capture
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen
, xwd
, or screencapture
.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
MITRE
Tactic
- collection
technique
- T1113
Test : Windows Screencapture
OS
- windows
Description:
Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour
Executor
powershell
Sigma Rule
-
posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)
-
proc_creation_win_psr_capture_screenshots.yml (id: 2158f96f-43c2-43cb-952a-ab4580f32382)