The psr.exe captures desktop screenshots and saves them on the local machine

Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.

Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.

Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations

Detects attempts to use screencapture to collect macOS screenshots