Windows Screen Capture with CopyFromScreen

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations

Sigma rule (View on GitHub)

 1title: Windows Screen Capture with CopyFromScreen
 2id: d4a11f63-2390-411c-9adf-d791fd152830
 3status: test
 4description: |
 5    Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.
 6    Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen
 9author: frack113
10date: 2021/12/28
11modified: 2022/07/07
12tags:
13    - attack.collection
14    - attack.t1113
15logsource:
16    product: windows
17    category: ps_script
18    definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20    selection:
21        ScriptBlockText|contains: '.CopyFromScreen'
22    condition: selection
23falsepositives:
24    - Unknown
25level: medium

References

Related rules

to-top