Windows Screen Capture with CopyFromScreen
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
Sigma rule (View on GitHub)
1title: Windows Screen Capture with CopyFromScreen
2id: d4a11f63-2390-411c-9adf-d791fd152830
3status: test
4description: |
5 Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.
6 Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen
9author: frack113
10date: 2021-12-28
11modified: 2022-07-07
12tags:
13 - attack.collection
14 - attack.t1113
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection:
21 ScriptBlockText|contains: '.CopyFromScreen'
22 condition: selection
23falsepositives:
24 - Unknown
25level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Periodic Backup For System Registry Hives Enabled
- Screen Capture - macOS
- Screen Capture Activity Via Psr.EXE
- Screen Capture with Import Tool
- Screen Capture with Xwd