Skip to content

T1113.md

Latest commit

 

History

History
149 lines (78 loc) · 2.73 KB

T1113.md

File metadata and controls

149 lines (78 loc) · 2.73 KB

T1113 - Screen Capture

Description from ATT&CK

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

Atomic Tests


Atomic Test #1 - Screencapture

Use screencapture command to collect a full desktop screenshot

Supported Platforms: macOS

Inputs:

Name Description Type Default Value
output_file Output file path Path /tmp/T1113_desktop.png

Attack Commands: Run with bash!

screencapture #{output_file}

Cleanup Commands:

rm #{output_file}


Atomic Test #2 - Screencapture (silent)

Use screencapture command to collect a full desktop screenshot

Supported Platforms: macOS

Inputs:

Name Description Type Default Value
output_file Output file path Path /tmp/T1113_desktop.png

Attack Commands: Run with bash!

screencapture -x #{output_file}

Cleanup Commands:

rm #{output_file}


Atomic Test #3 - X Windows Capture

Use xwd command to collect a full desktop screenshot and review file with xwud

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
output_file Output file path Path /tmp/T1113_desktop.xwd

Attack Commands: Run with bash!

xwd -root -out #{output_file}
xwud -in #{output_file}

Cleanup Commands:

rm #{output_file}


Atomic Test #4 - Import

Use import command to collect a full desktop screenshot

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
output_file Output file path Path /tmp/T1113_desktop.png

Attack Commands: Run with bash!

import -window root #{output_file}

Cleanup Commands:

rm #{output_file}