Screen Capture with Xwd
Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
Sigma rule (View on GitHub)
1title: Screen Capture with Xwd
2id: e2f17c5d-b02a-442b-9052-6eb89c9fec9c
3status: test
4description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture
7 - https://linux.die.net/man/1/xwd
8author: 'Pawel Mazur'
9date: 2021/09/13
10modified: 2022/12/18
11tags:
12 - attack.collection
13 - attack.t1113
14logsource:
15 product: linux
16 service: auditd
17detection:
18 selection:
19 type: EXECVE
20 a0: xwd
21 xwd_root_window:
22 a1: '-root'
23 a2: '-out'
24 a3|endswith: '.xwd'
25 xwd_no_root_window:
26 a1: '-out'
27 a2|endswith: '.xwd'
28 condition: selection and 1 of xwd_*
29falsepositives:
30 - Legitimate use of screenshot utility
31level: low
References
Related rules
- Screen Capture with Import Tool
- Screen Capture - macOS
- Audio Capture
- Clipboard Collection of Image Data with Xclip Tool
- Clipboard Collection with Xclip Tool - Auditd