Screen Capture - macOS

Detects attempts to use screencapture to collect macOS screenshots

Sigma rule (View on GitHub)

 1title: Screen Capture - macOS
 2id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
 3status: test
 4description: Detects attempts to use screencapture to collect macOS screenshots
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
 7    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py
 8author: remotephone, oscd.community
 9date: 2020-10-13
10modified: 2021-11-27
11tags:
12    - attack.collection
13    - attack.t1113
14logsource:
15    product: macos
16    category: process_creation
17detection:
18    selection:
19        Image: '/usr/sbin/screencapture'
20    condition: selection
21falsepositives:
22    - Legitimate user activity taking screenshots
23level: low

References

Related rules

to-top