T1113.md

T1113 - Screen Capture

Description from ATT&CK

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

Atomic Tests

• Atomic Test #1 - Screencapture

• Atomic Test #2 - Screencapture (silent)

• Atomic Test #3 - X Windows Capture

• Atomic Test #4 - Capture Linux Desktop using Import Tool

• Atomic Test #5 - Windows Screencapture

Atomic Test #1 - Screencapture

Use screencapture command to collect a full desktop screenshot

Supported Platforms: macOS

Inputs:

Name	Description	Type	Default Value
output_file	Output file path	Path	/tmp/T1113_desktop.png

Attack Commands: Run with bash!

screencapture #{output_file}

Cleanup Commands:

rm #{output_file}

Atomic Test #2 - Screencapture (silent)

Use screencapture command to collect a full desktop screenshot

Supported Platforms: macOS

Inputs:

Name	Description	Type	Default Value
output_file	Output file path	Path	/tmp/T1113_desktop.png

Attack Commands: Run with bash!

screencapture -x #{output_file}

Cleanup Commands:

rm #{output_file}

Atomic Test #3 - X Windows Capture

Use xwd command to collect a full desktop screenshot and review file with xwud

Supported Platforms: Linux

Inputs:

Name	Description	Type	Default Value
output_file	Output file path	Path	/tmp/T1113_desktop.xwd
package_checker	Package checking command for linux. Debian system command- dpkg -s x11-apps	string	rpm -q xorg-x11-apps
package_installer	Package installer command for linux. Debian system command- apt-get install x11-apps	string	yum install -y xorg-x11-apps

Attack Commands: Run with bash!

xwd -root -out #{output_file}
xwud -in #{output_file}

Cleanup Commands:

rm #{output_file}

Dependencies: Run with bash!

Description: Package with XWD and XWUD must exist on device

Check Prereq Commands:

if #{package_checker} > /dev/null; then exit 0; else exit 1; fi 

Get Prereq Commands:

sudo #{package_installer}

Atomic Test #4 - Capture Linux Desktop using Import Tool

Use import command from ImageMagick to collect a full desktop screenshot

Supported Platforms: Linux

Inputs:

Name	Description	Type	Default Value
output_file	Output file path	Path	/tmp/T1113_desktop.png

Attack Commands: Run with bash!

import -window root #{output_file}

Cleanup Commands:

rm #{output_file}

Dependencies: Run with bash!

Description: ImageMagick must be installed

Check Prereq Commands:

if import --version; then exit 0; else exit 1; fi 

Get Prereq Commands:

sudo apt-get -y install imagemagick

Atomic Test #5 - Windows Screencapture

Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
output_file	Output file path	Path	c:\temp\T1113_desktop.zip
recording_time	Time to take screenshots	String	5

Attack Commands: Run with powershell!

cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"

Cleanup Commands:

rm #{output_file} -ErrorAction Ignore