PowerShell Suspicious Script with Screenshot Capabilities

  1[metadata]
  2creation_date = "2021/10/19"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/01/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects PowerShell script block content that uses CopyFromScreen with .NET bitmap classes to capture screenshots.
 11Attackers use screen capture to collect on-screen information and credentials.
 12"""
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-windows.powershell*"]
 15language = "kuery"
 16license = "Elastic License v2"
 17name = "PowerShell Suspicious Script with Screenshot Capabilities"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating PowerShell Suspicious Script with Screenshot Capabilities
 24
 25This rule identifies PowerShell scripts that includes screenshot collection logic using `CopyFromScreen` together with bitmap classes. This pattern is commonly used to capture the interactive desktop and may indicate collection of sensitive on-screen data (for example, application content, authentication prompts, or remote session activity).
 26
 27Prioritize alerts on endpoints used for privileged administration or sensitive workflows, and alerts tied to accounts that do not typically run interactive PowerShell automation.
 28
 29#### Key alert fields to review
 30
 31- `user.name`, `user.domain`, `user.id`: Account execution context for correlation, prioritization, and scoping.
 32- `host.name`, `host.id`: Host execution context for correlation, prioritization, and scoping.
 33- `powershell.file.script_block_text`: Script block content that matched the detection logic.
 34- `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`: Script block metadata to pivot to other fragments or reconstruct full script content when split across multiple events.
 35- `file.path`, `file.directory`, `file.name`: File-origin context when the script block is sourced from an on-disk file.
 36- `powershell.file.script_block_length`: Script block length (size) context.
 37
 38#### Possible investigation steps
 39
 40- Establish alert scope and execution context:
 41  - Identify the affected system using `host.name` and `host.id`. Determine if the host is expected to have an interactive desktop session for the associated user at the time of the alert.
 42  - Identify the initiating account using `user.name`, `user.domain`, and `user.id`. Assess whether the account is a typical interactive user for the host and whether the activity aligns with the user role.
 43  - Review the alert time (`@timestamp`) and determine whether the timing aligns with normal business operations for the user and host.
 44
 45- Review and interpret the script block content:
 46  - Examine `powershell.file.script_block_text` to understand what is being captured:
 47    - Identify whether the capture targets the full screen or a specific region (for example, use of coordinates and dimensions passed into `CopyFromScreen`).
 48    - Identify whether capture is repeated (for example, loops, timers, repeated invocations) which may indicate ongoing collection.
 49    - Identify any logic that targets specific monitors, window bounds, or desktop layout.
 50  - Determine how captured images are handled:
 51    - Look for references indicating local image creation or saving (for example, image format usage such as PNG/JPEG/BMP, file extensions, or save routines).
 52    - Look for encoding/staging behavior (for example, Base64 conversion, compression, or in-memory serialization) that could facilitate transfer.
 53    - Note any referenced paths, filenames, or remote destinations embedded in the script, and capture unique strings for scoping and hunting.
 54
 55- Reconstruct full script logic when split across events:
 56  - Use `powershell.file.script_block_id` to collect all related fragments.
 57  - Order fragments using `powershell.sequence` and validate completeness using `powershell.total`.
 58  - Re-review the reconstructed script for supporting capabilities beyond capture (for example, environment checks, staging, cleanup, or transfer logic).
 59  - Use `powershell.file.script_block_length` to help identify unusually large or complex script blocks that may warrant deeper review.
 60
 61- Identify script source and provenance:
 62  - If `file.path`, `file.directory`, or `file.name` are present, treat the script as file-backed:
 63    - Validate whether the location is expected for administrative or support scripts in your environment.
 64    - Collect the referenced file for review and compare it to known-good versions or approved repositories where applicable.
 65  - If file fields are not present, treat the activity as potentially inline or dynamically generated:
 66    - Pay close attention to download, decode, or dynamic compilation patterns visible in `powershell.file.script_block_text`.
 67
 68- Scope for related PowerShell activity using available pivots:
 69  - On the same `host.id` and `user.id`, review surrounding script blocks near the alert time to identify related actions (for example, staging, transfer preparation, or artifact cleanup).
 70  - Search for similar `powershell.file.script_block_text` patterns across other hosts to determine prevalence and potential lateral spread.
 71  - If `file.name` or `file.path` are present, search for additional execution of the same script file across the environment.
 72
 73- Correlate with adjacent telemetry to determine initiation and outcomes:
 74  - Using `host.id`, `host.name`, `user.id`, and the alert time window, correlate with available endpoint and security telemetry to identify:
 75    - How PowerShell was initiated (interactive use vs. application-driven execution) and whether there is an unusual execution chain.
 76    - Evidence of screenshot artifacts being written, moved, archived, or deleted, especially in locations referenced in `powershell.file.script_block_text`.
 77    - Any outbound communication or data movement that could indicate transfer of captured images or related content.
 78
 79- Assess potential impact:
 80  - Determine whether the host and user context suggests access to sensitive information that could have been exposed via screenshots.
 81  - If screenshot artifacts are identified, preserve copies and metadata for exposure assessment and downstream response actions.
 82
 83### False positive analysis
 84
 85- Legitimate scenarios may include authorized troubleshooting, remote support workflows, UI testing, or automation that captures screenshots.
 86- Validate benign explanations by confirming that the involved `user.name`/`user.id` and `host.name`/`host.id` align with expected operational ownership and that the script content in `powershell.file.script_block_text` matches known, approved implementations.
 87- File-backed scripts with stable, approved locations (`file.path`/`file.name`) and consistent content are more likely to be benign. Inline or frequently changing script content, especially with staging or transfer logic, should be treated as higher risk even if screenshot capture is a documented capability.
 88
 89### Response and remediation
 90
 91- If the activity is confirmed malicious or remains suspicious after triage:
 92  - Contain the affected host to limit further collection and potential data transfer.
 93  - Preserve evidence:
 94    - Export and retain all related script block fragments for the same `powershell.file.script_block_id` and reconstruct the full script using `powershell.sequence` and `powershell.total`.
 95    - Collect any file-backed script referenced by `file.path`/`file.name`, along with any identified screenshot output paths from `powershell.file.script_block_text`.
 96  - Scope and eradicate:
 97    - Hunt for the same screenshot capture indicators across the environment using distinctive strings from `powershell.file.script_block_text`, as well as the involved `user.id` and `file.name` (if present).
 98    - Review correlated telemetry for signs of staging or transfer and identify any additional affected hosts or accounts.
 99  - Credential and access hygiene:
100    - If screenshots may have captured credentials or privileged activity, follow your incident response process for credential reset and access review for the involved account(s).
101    - Review access to sensitive systems from the affected host and user context during the relevant time window.
102
103- If the activity is confirmed benign:
104  - Document the legitimate business process, script ownership, and expected execution scope (approved users, hosts, and typical timing).
105  - Ensure the script source is controlled (when `file.path`/`file.name` are present) and that execution is limited to authorized accounts and systems.
106  - Continue monitoring for deviations in script content or execution context using the same pivots (`host.id`, `user.id`, and distinctive content in `powershell.file.script_block_text`).
107"""
108references = ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"]
109risk_score = 73
110rule_id = "959a7353-1129-4aa7-9084-30746b256a70"
111setup = """## Setup
112
113PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104).
114Setup instructions: https://ela.st/powershell-logging-setup
115"""
116severity = "high"
117tags = [
118    "Domain: Endpoint",
119    "OS: Windows",
120    "Use Case: Threat Detection",
121    "Tactic: Collection",
122    "Resources: Investigation Guide",
123    "Data Source: PowerShell Logs",
124]
125timestamp_override = "event.ingested"
126type = "query"
127
128query = '''
129event.category:process and host.os.type:windows and
130  powershell.file.script_block_text : (
131    CopyFromScreen and
132    ("System.Drawing.Bitmap" or "Drawing.Bitmap")
133  ) and not user.id : "S-1-5-18"
134'''
135
136
137[[rule.threat]]
138framework = "MITRE ATT&CK"
139[[rule.threat.technique]]
140id = "T1113"
141name = "Screen Capture"
142reference = "https://attack.mitre.org/techniques/T1113/"
143
144
145[rule.threat.tactic]
146id = "TA0009"
147name = "Collection"
148reference = "https://attack.mitre.org/tactics/TA0009/"
149[[rule.threat]]
150framework = "MITRE ATT&CK"
151[[rule.threat.technique]]
152id = "T1059"
153name = "Command and Scripting Interpreter"
154reference = "https://attack.mitre.org/techniques/T1059/"
155[[rule.threat.technique.subtechnique]]
156id = "T1059.001"
157name = "PowerShell"
158reference = "https://attack.mitre.org/techniques/T1059/001/"
159
160
161
162[rule.threat.tactic]
163id = "TA0002"
164name = "Execution"
165reference = "https://attack.mitre.org/tactics/TA0002/"
166
167[rule.investigation_fields]
168field_names = [
169    "@timestamp",
170    "user.name",
171    "user.id",
172    "user.domain",
173    "powershell.file.script_block_text",
174    "powershell.file.script_block_id",
175    "powershell.sequence",
176    "powershell.total",
177    "file.path",
178    "file.directory",
179    "file.name",
180    "process.pid",
181    "host.name",
182    "host.id",
183    "powershell.file.script_block_length"
184]