Screen Capture
Screen Capture [T1113]
Last updated
Screen Capture [T1113]
Last updated
Name: Screen Capture
ID: T1113
Tactics:
Screen Capture (T1113) is a technique defined within the MITRE ATT&CK framework under the tactic "Collection." Adversaries leverage this technique to capture screenshots of victim systems to gather sensitive information, monitor user activity, or facilitate further exploitation. Capturing screen data can provide attackers with visual intelligence on user actions, system configurations, installed software, and confidential data displayed on the screen, significantly aiding in reconnaissance and lateral movement.
Adversaries employ various methods and tools to capture screen data from compromised systems. Technical execution details include:
Native Operating System Tools:
Windows: Attackers may use built-in utilities such as PrintScreen, Snipping Tool, or PowerShell scripts to silently capture screenshots.
Linux: Tools like import, scrot, or gnome-screenshot can be executed through command-line interfaces.
macOS: The built-in screencapture command allows silent screenshot capturing via terminal commands.
Custom Malware and Scripts:
Attackers frequently embed screenshot functionality within custom malware payloads, enabling automated and periodic captures.
Malware can leverage APIs or graphical libraries to silently capture screenshots without user interaction or notification.
Remote Administration Tools (RATs):
RATs such as DarkComet, Poison Ivy, Quasar, and njRAT commonly include built-in screenshot capabilities for remote visual monitoring.
These tools can be configured to periodically capture and transmit screenshots to attacker-controlled servers.
Automated Scheduled Tasks:
Attackers may create scheduled tasks or cron jobs to periodically execute screenshot captures, minimizing manual interaction and increasing stealth.
Captured screenshots are typically stored temporarily on the compromised host or immediately exfiltrated to external attacker-controlled infrastructure. Common exfiltration methods include HTTP(S), FTP, SMTP, or cloud storage services to evade detection and firewall restrictions.
Screen Capture is utilized across various phases of an attack lifecycle, including:
Initial Reconnaissance:
Gathering information about victim systems, applications in use, and sensitive data displayed on-screen.
Credential Harvesting:
Capturing screenshots of login screens, password managers, or sensitive documents containing credentials.
Lateral Movement and Privilege Escalation:
Identifying available resources, installed security tools, and system configurations that can facilitate lateral movement or privilege escalation.
Data Exfiltration and Espionage:
Collecting visual evidence of confidential intellectual property, financial data, or proprietary information.
Monitoring and Surveillance:
Continuously monitoring user activities, communications, and operational procedures for espionage or blackmail purposes.
Post-Exploitation:
Validating successful exploitation, persistence, and operational effectiveness by visually confirming access to targeted resources.
Detection of Screen Capture techniques involves monitoring system behaviors, analyzing logs, and identifying anomalous activities. Common detection methods and tools include:
Endpoint Detection and Response (EDR) Solutions:
Monitoring suspicious execution of screenshot utilities or calls to graphical APIs.
Detecting unusual processes or scripts invoking screen capture commands.
Behavioral Analysis and Anomaly Detection:
Identifying abnormal patterns of scheduled tasks or cron jobs executing screenshot utilities.
Detecting repeated file creation and deletion in temporary directories associated with screenshot images.
File System and Process Monitoring:
Tracking suspicious process creations, especially those invoking screenshot utilities (screencapture, scrot, SnippingTool.exe).
Monitoring file system events for unusual image file creations in user directories or temporary storage locations.
Network Traffic Analysis:
Detecting unusual outbound data transfers, particularly involving image file formats (PNG, JPG, BMP) or known screenshot exfiltration methods (HTTP POST, FTP uploads).
Identifying unusual traffic patterns to cloud storage or external IP addresses associated with screenshot exfiltration.
Specific Indicators of Compromise (IoCs):
Unusual file names and paths indicative of automated screenshot captures.
Presence of screenshot-related tools or scripts in unexpected directories.
Suspicious registry entries or scheduled tasks referencing screenshot utilities.
Early detection of Screen Capture techniques is critical due to its significant impact on confidentiality, integrity, and availability of sensitive information. Possible impacts and importance of detection include:
Sensitive Data Exposure:
Screenshots often contain confidential data such as passwords, financial information, intellectual property, and personal identifiable information (PII).
Early detection prevents or limits data breaches and associated regulatory compliance violations.
Operational Security (OPSEC) Compromise:
Attackers gain detailed visual insights into organizational operations, security controls, and internal procedures, facilitating further exploitation.
Detecting screen capture activities disrupts adversary reconnaissance and reduces operational risk.
Credential Theft and Privilege Escalation:
Screenshots capturing login screens or credentials facilitate unauthorized access and privilege escalation.
Prompt detection mitigates credential theft and limits lateral movement opportunities.
Reputational Damage and Financial Loss:
Confidential data leaks resulting from screen captures can lead to significant reputational harm, loss of customer trust, and financial penalties.
Early detection minimizes potential damage and mitigates long-term consequences.
Indicator of Broader Compromise:
Presence of screen capture activity often indicates deeper compromise and potential ongoing attack campaigns.
Detecting this technique enables incident response teams to quickly identify, investigate, and remediate broader threats.
Real-world examples illustrating the use of Screen Capture techniques include:
APT28 (Fancy Bear/Sofacy):
Utilized malware such as X-Agent, which included automated screenshot capabilities to capture sensitive documents and user activities.
Impact: Facilitated espionage and intelligence gathering against government and military targets.
DarkComet RAT:
Widely used remote administration tool featuring built-in screenshot capturing functionality.
Attack Scenario: Attackers remotely monitored victims, captured screenshots of sensitive data, and exfiltrated images for espionage or blackmail purposes.
FIN7 Cybercrime Group:
Leveraged custom malware frameworks, including Carbanak, capable of periodically capturing screenshots of financial systems and POS terminals.
Impact: Enabled theft of financial data and facilitated unauthorized financial transactions resulting in millions in losses.
Quasar RAT:
Open-source RAT frequently employed by attackers for remote monitoring and capturing screenshots of victim systems.
Attack Scenario: Attackers targeted corporate environments to gather credentials, sensitive documents, and operational information.
Operation Transparent Tribe (APT36):
Utilized Crimson RAT, malware with built-in screenshot functionality, to target government and military entities in South Asia.
Impact: Captured sensitive intelligence data, credentials, and internal communications, aiding espionage operations.
These examples highlight the extensive use of Screen Capture techniques across diverse threat actor groups, industries, and attack scenarios, emphasizing the critical importance of timely detection and mitigation.