Linux Video Recording or Screenshot Activity Detected

calendar Jan 8, 2026 · Domain: Endpoint OS: Linux Use Case: Threat Detection Tactic: Collection Data Source: Elastic Defend Data Source: Elastic Endgame Data Source: SentinelOne  ·
Share on: linkedin copy

This rule monitors for the usage of the most common video recording or screenshot utilities on unix systems by an uncommon process parent. Adversaries may collect video or screenshot data from users or systems for a variety of reasons including espionage, credential theft, or reconnaissance.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2026/01/07"
 3integration = ["endpoint", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2026/01/07"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule monitors for the usage of the most common video recording or screenshot utilities on unix systems
11by an uncommon process parent. Adversaries may collect video or screenshot data from users or systems for a
12variety of reasons including espionage, credential theft, or reconnaissance.
13"""
14from = "now-9m"
15index = [
16          "logs-endpoint.events.process*",
17          "logs-sentinel_one_cloud_funnel.*",
18          "endgame-*",
19        ]
20language = "kuery"
21license = "Elastic License v2"
22name = "Linux Video Recording or Screenshot Activity Detected"
23risk_score = 21
24rule_id = "93dd73f9-3e59-45be-b023-c681273baf81"
25severity = "low"
26tags = [
27    "Domain: Endpoint",
28    "OS: Linux",
29    "Use Case: Threat Detection",
30    "Tactic: Collection",
31    "Data Source: Elastic Defend",
32    "Data Source: Elastic Endgame",
33    "Data Source: SentinelOne",
34]
35timestamp_override = "event.ingested"
36type = "new_terms"
37query = '''
38event.category:process and host.os.type:"linux" and event.type:"start" and event.action:("exec" or "exec_event" or "start") and
39process.name:(
40  "gnome-screenshot" or "spectacle" or "xfce4-screenshooter" or "mate-screenshot" or "scrot" or "maim" or "import" or "grim" or
41  "grimshot" or "slurp" or "flameshot" or "shutter" or "ksnip" or "deepin-screenshot" or "simplescreenrecorder" or "kazam" or
42  "vokoscreen" or "recordmydesktop" or "obs" or "obs-studio"
43) and
44not process.args:("-h" or "--help" or "--version")
45'''
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49
50[[rule.threat.technique]]
51id = "T1113"
52name = "Screen Capture"
53reference = "https://attack.mitre.org/techniques/T1113/"
54
55[[rule.threat.technique]]
56id = "T1125"
57name = "Video Capture"
58reference = "https://attack.mitre.org/techniques/T1125/"
59
60[rule.threat.tactic]
61id = "TA0009"
62name = "Collection"
63reference = "https://attack.mitre.org/tactics/TA0009/"
64
65[rule.new_terms]
66field = "new_terms_fields"
67value = ["agent.id", "process.parent.executable"]
68
69[[rule.new_terms.history_window_start]]
70field = "history_window_start"
71value = "now-5d"

Related rules

to-top