Find sigma rule

Attack: Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

MITRE

Tactic

collection

technique

T1113

Test : Windows Screen Capture (CopyFromScreen)

OS

windows

Description:

Take a screen capture of the desktop through a call to the Graphics.CopyFromScreen .NET API.

Executor

powershell

Sigma Rule

posh_ps_capture_screenshots.yml (id: d4a11f63-2390-411c-9adf-d791fd152830)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test