Linux Video Recording or Screenshot Activity Detected

  1[metadata]
  2creation_date = "2026/01/07"
  3integration = ["endpoint", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/01/12"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule monitors for the usage of the most common video recording or screenshot utilities on unix systems
 11by an uncommon process parent. Adversaries may collect video or screenshot data from users or systems for a
 12variety of reasons including espionage, credential theft, or reconnaissance.
 13"""
 14from = "now-9m"
 15index = [
 16          "logs-endpoint.events.process*",
 17          "logs-sentinel_one_cloud_funnel.*",
 18          "endgame-*",
 19        ]
 20language = "kuery"
 21license = "Elastic License v2"
 22name = "Linux Video Recording or Screenshot Activity Detected"
 23note = """ ## Triage and analysis
 24
 25> **Disclaimer**:
 26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 27
 28### Investigating Linux Video Recording or Screenshot Activity Detected
 29
 30This alert flags the launch of common Linux screenshot or screen-recording tools—such as scrot, gnome-screenshot, flameshot, grim, or obs—when triggered by an atypical parent process, indicating potential visual data collection. A typical attacker pattern is a compromised user session or remote shell spawning scrot or grim during credential entry to capture MFA codes and application windows, or starting simplescreenrecorder/obs to persistently record the desktop for later exfiltration.
 31
 32### Possible investigation steps
 33
 34- Review the process lineage and session context to determine if the capture was launched interactively from a desktop or via ssh/cron/systemd or a script in transient directories.
 35- Inspect command-line options and environment variables (DISPLAY, WAYLAND_DISPLAY, XAUTHORITY) to identify window/region capture, explicit save targets, or headless clipboard-only usage.
 36- Search for newly created media files around the alert time (screenshots under ~/Pictures or /tmp, and recordings like .mkv/.webm) and evaluate their sensitivity and relevance.
 37- Verify binary provenance and integrity by checking installation logs, file path and ownership, hashes, and unexpected copies or modified ELF binaries in user-writable locations.
 38- Correlate with user and network telemetry for concurrent credential entry, browser MFA prompts, or outbound transfers/clipboard synchronization indicative of exfiltration.
 39
 40### False positive analysis
 41
 42- A user presses Print Screen or uses a desktop hotkey, and the environment launches gnome-screenshot, flameshot, or grim via a keybinding/compositor component, producing an uncommon parent despite benign activity.
 43- Legitimate demo or documentation recording with obs or simplescreenrecorder started by a wrapper script, cron, or a systemd unit can surface as a non-interactive start from an unusual parent without malicious intent.
 44
 45### Response and remediation
 46
 47- Immediately terminate the capture process (e.g., scrot, grim, flameshot, gnome-screenshot, simplescreenrecorder, obs) and isolate the host or terminate the GUI session, suspending the user and revoking SSH keys if the parent was sshd, cron, or a systemd unit.
 48- Eradicate launch points by deleting rogue systemd services/timers, crontab entries, ~/.config/autostart/*.desktop files, and scripts in /tmp or ~/bin that invoke these tools, and replace any trojanized binaries found outside package-managed paths.
 49- Recover by rotating passwords and invalidating MFA sessions/tokens used during the recorded period, then remove captured media (.png/.jpg/.webm/.mkv) from ~/Pictures, /tmp, and similar staging paths after evidence collection.
 50- Escalate to incident response and privacy/legal if screenshots/recordings contain credentials, customer data, or secrets, if execution originated from privileged users or servers, or if exfiltration is observed via scp/rsync/curl to external hosts.
 51- Harden endpoints by uninstalling unneeded screenshot/recording packages, enforcing allowlists and AppArmor/SELinux profiles that block scrot/grim/obs except for approved users, and requiring xdg-desktop-portal/PipeWire screencast prompts for console users only.
 52- Improve detection by alerting on these binaries executed by sshd/cron/systemd, repeated saves under ~/Pictures or /tmp, copies in user-writable paths (~/bin, /tmp), and outbound transfers of resulting media files.
 53"""
 54risk_score = 21
 55rule_id = "93dd73f9-3e59-45be-b023-c681273baf81"
 56severity = "low"
 57tags = [
 58    "Domain: Endpoint",
 59    "OS: Linux",
 60    "Use Case: Threat Detection",
 61    "Tactic: Collection",
 62    "Data Source: Elastic Defend",
 63    "Data Source: Elastic Endgame",
 64    "Data Source: SentinelOne",
 65    "Resources: Investigation Guide",
 66]
 67timestamp_override = "event.ingested"
 68type = "new_terms"
 69query = '''
 70event.category:process and host.os.type:"linux" and event.type:"start" and event.action:("exec" or "exec_event" or "start") and
 71process.name:(
 72  "gnome-screenshot" or "spectacle" or "xfce4-screenshooter" or "mate-screenshot" or "scrot" or "maim" or "import" or "grim" or
 73  "grimshot" or "slurp" or "flameshot" or "shutter" or "ksnip" or "deepin-screenshot" or "simplescreenrecorder" or "kazam" or
 74  "vokoscreen" or "recordmydesktop" or "obs" or "obs-studio"
 75) and
 76not process.args:("-h" or "--help" or "--version")
 77'''
 78
 79[[rule.threat]]
 80framework = "MITRE ATT&CK"
 81
 82[[rule.threat.technique]]
 83id = "T1113"
 84name = "Screen Capture"
 85reference = "https://attack.mitre.org/techniques/T1113/"
 86
 87[[rule.threat.technique]]
 88id = "T1125"
 89name = "Video Capture"
 90reference = "https://attack.mitre.org/techniques/T1125/"
 91
 92[rule.threat.tactic]
 93id = "TA0009"
 94name = "Collection"
 95reference = "https://attack.mitre.org/tactics/TA0009/"
 96
 97[rule.new_terms]
 98field = "new_terms_fields"
 99value = ["agent.id", "process.parent.executable"]
100
101[[rule.new_terms.history_window_start]]
102field = "history_window_start"
103value = "now-5d"