Screen Capture with Import Tool
Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
Sigma rule (View on GitHub)
1title: Screen Capture with Import Tool
2id: dbe4b9c5-c254-4258-9688-d6af0b7967fd
3status: test
4description: |
5 Detects adversary creating screen capture of a desktop with Import Tool.
6 Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.
7 ImageMagick must be installed.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
10 - https://linux.die.net/man/1/import
11 - https://imagemagick.org/
12author: 'Pawel Mazur'
13date: 2021-09-21
14modified: 2022-10-09
15tags:
16 - attack.collection
17 - attack.t1113
18logsource:
19 product: linux
20 service: auditd
21detection:
22 import:
23 type: EXECVE
24 a0: import
25 import_window_root:
26 a1: '-window'
27 a2: 'root'
28 a3|endswith:
29 - '.png'
30 - '.jpg'
31 - '.jpeg'
32 import_no_window_root:
33 a1|endswith:
34 - '.png'
35 - '.jpg'
36 - '.jpeg'
37 condition: import and (import_window_root or import_no_window_root)
38falsepositives:
39 - Legitimate use of screenshot utility
40level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
ImageMagick is a powerful, open-source software suite for creating, editing, converting, and manipulating images in over 200 formats. Ideal for web developers, graphic designers, and researchers, it offers versatile tools for image processing, including batch processing, format conversion, and complex image transformations.
Read More
Related rules
- Periodic Backup For System Registry Hives Enabled
- Screen Capture - macOS
- Screen Capture Activity Via Psr.EXE
- Screen Capture with Xwd
- Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted