Screen Capture - macOS

 1title: Screen Capture - macOS
 2id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
 3status: test
 4description: Detects attempts to use screencapture to collect macOS screenshots
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
 7    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py
 8author: remotephone, oscd.community
 9date: 2020-10-13
10modified: 2021-11-27
11tags:
12    - attack.collection
13    - attack.t1113
14logsource:
15    product: macos
16    category: process_creation
17detection:
18    selection:
19        Image: '/usr/sbin/screencapture'
20    condition: selection
21falsepositives:
22    - Legitimate user activity taking screenshots
23level: low

References

• atomic-red-team/atomics/T1113/T1113.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• Empire/lib/modules/python/collection/osx/screenshot.py at 08cbd274bef78243d7a8ed6443b8364acd1fc48b · EmpireProject/Empire

  

  Empire is a PowerShell and Python post-exploitation agent. - EmpireProject/Empire

  
  Read More

Related rules

• Periodic Backup For System Registry Hives Enabled
• Screen Capture Activity Via Psr.EXE
• Screen Capture with Import Tool
• Screen Capture with Xwd
• Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted