Home/ATT&CK Technique/Screen Capture
ATT&CK Technique

Screen Capture

T1113 · collection

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.

LinuxmacOSWindows

Actors Using This

14
latin_america_brazilian_organized_cybercrimeAmavaldo
north_koreaAndariel
franceAnimal Farm
chinaAoqin Dragon
chinaAPT10
chinaAPT17
chinaAPT1
russiaAPT28
chinaAPT31
iranAPT33
iranOilRig
iranAPT35
north_koreaAPT37
north_koreaAPT38

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1584.008 · Network Devices ×2.27
persistence earlier
T1543.004 · Launch Daemon ×2.27T1137 · Office Application Startup ×2.27
privilege-escalation earlier
T1546.001 · Change Default File Association ×2.27T1546.011 · Application Shimming ×2.27T1546.015 · Component Object Model Hijacking ×2.27
credential-access earlier
T1555.004 · Windows Credential Manager ×2.27
discovery earlier
T1426 · System Information Discovery ×2.27
collection same
T1123 · Audio Capture ×2.27T1125 · Video Capture ×2.27T1056.002 · GUI Input Capture ×2.27T1417 · Input Capture ×2.27
command-and-control later
T1437 · Application Layer Protocol ×2.27T1437.001 · Web Protocols ×2.27
other same
T1006 · Direct Volume Access ×2.27

Atomic Tests

10
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
bashmacosScreencapture
Use screencapture command to collect a full desktop screenshot 
screencapture #{output_file}
bashmacosScreencapture (silent)
Use screencapture command to collect a full desktop screenshot 
screencapture -x #{output_file}
bashlinuxX Windows Capture
Use xwd command to collect a full desktop screenshot and review file with xwud 
xwd -root -out #{output_file}
xwud -in #{output_file}
shlinuxX Windows Capture (freebsd)
Use xwd command to collect a full desktop screenshot and review file with xwud 
xwd -root -out #{output_file}
xwud -in #{output_file}
bashlinuxCapture Linux Desktop using Import Tool
Use import command from ImageMagick to collect a full desktop screenshot 
import -window root #{output_file}
shlinuxCapture Linux Desktop using Import Tool (freebsd)
Use import command from ImageMagick to collect a full desktop screenshot 
import -window root #{output_file}
powershellwindowsWindows Screencapture
Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour 
cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
powershellwindowsWindows Screen Capture (CopyFromScreen)
Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API. [Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen 
Add-Type -AssemblyName System.Windows.Forms
$screen = [Windows.Forms.SystemInformation]::VirtualScreen
$bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height
$graphic = [Drawing.Graphics]::FromImage($bitmap)
$graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)
$bitmap.Save("#{output_file}")
powershellelevatedwindowsWindows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. - https://learn.microsoft.com/en-us/windows/client-management/manage-recall - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 0 /f
reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /f
powershellwindowsRDP Bitmap Cache Extraction via bmc-tools
Simulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script. This test requires valid RDP bitmap cache files to exist on the system (usually created after an outgoing RDP connection is made). 
$url = 'https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py'
$toolsDir = "$env:TEMP\bmc-tools.py"
 
# create output directory
New-Item -ItemType Directory -Path #{output_dir} -Force | Out-Null

# python script download
& curl.exe -L $url --output $toolsDir
 
# execution step
if (Test-Path $toolsDir) { python $toolsDir -s "#{cache_path}" -d #{output_dir} -b }

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 9
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Caldera Emulation

1
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
collectiondarwin, windowsScreen Capture
for i in {1..5}; do screencapture -t png screen-$i.png; echo "$(cd "$(dirname "$1")"; pwd -P)/$(basename "screen-$i.png")"; sleep 5; done;

Comply & Defend

D3FEND2 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin