Find sigma rule
Attack: Screen Capture
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen
, xwd
, or screencapture
.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
MITRE
Tactic
- collection
technique
- T1113
Test : Windows Screen Capture (CopyFromScreen)
OS
- windows
Description:
Take a screen capture of the desktop through a call to the Graphics.CopyFromScreen .NET API.
Executor
powershell
Sigma Rule
- posh_ps_capture_screenshots.yml (id: d4a11f63-2390-411c-9adf-d791fd152830)