# T1113 Screen Capture

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)


## Technique Detection

Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.

-----------------------------------------------------------------------

### Tactics:

  *   Collection

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Command:** Command Execution

  * **Process:** OS API Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| GOLD SOUTHFIELD | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines.(Citation: Tetra Defense Sodinokibi March 2020)| 
| Silence | [Silence](https://attack.mitre.org/groups/G0091) can capture victim screen activity.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used a screen capture utility to take screenshots on a compromised host.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)| 
| Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070) took screenshots using their Windows malware.(Citation: Lookout Dark Caracal Jan 2018)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that can capture screenshots of the victim’s machine.(Citation: Securelist MuddyWater Oct 2018)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware can take a screenshot and upload the file to its C2 server.(Citation: Unit 42 Magic Hound Feb 2017)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used a tool to capture screenshots.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has a tool called CANDYKING to capture a screenshot of user's desktop.(Citation: FireEye APT34 Webinar Dec 2017)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047)'s malware can take screenshots of the compromised computer every minute.(Citation: ESET Gamaredon June 2020)	| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) captured screenshots and desktop video recordings.(Citation: DOJ FIN7 Aug 2018)| 
| Group5 | Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of watching the victim's screen.(Citation: Citizen Lab Group5)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).(Citation: US-CERT TA18-074A)(Citation: Symantec Dragonfly Sept 2017)(Citation: Gigamon Berserk Bear October 2021)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used tools to take screenshots from victims.(Citation: ESET Sednit Part 2)(Citation: XAgentOSX 2017)(Citation: DOJ GRU Indictment Jul 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1113)

  * [Capec](https://capec.mitre.org/data/definitions/648.html)

  * [Copyfromscreen .Net](https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8), Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.

  * [Antiquated Mac Malware](https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/), Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use one or more tools to take screenshots from a victim’s device.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28, APT29, Turla | 1-5 | |

## Detection Blindspots

- While identifying image captures to disk is rather straightforward, an adversary’s use of API calls are far harder to detect. Particularly a tool that performs similarly to Metasploit’s “screengrab” which does not save to disk but saves it to the attacker’s system via API calls.

## Analytical References

  * [Mitre Attack Screen Capture (infosecinstitute)](https://resources.infosecinstitute.com/mitre-attck-screen-capture/)
  * [X-Agent macos tool (paloaltonetworks](https://unit42.paloaltonetworks.com/unit42-xagentosx-sofacys-xagent-macos-tool/)
  * [Screen Capture- Metasploit (offensive-security)](https://www.offensive-security.com/metasploit-unleashed/screen-capture/)
  * [Cyber Conflict Decoy Document (talosintelligence)](https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html)
  * [Kazuar Espionage Backdoor](https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/)
  * [ESET SEdnit Part2 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf)

--------------------------------------------------------------------------
## APT/Malware Specific Notes:

### APT28
- 1.) XAgent (AKA SPLM/CHOPSTICK) - takeScreenShot Takes a screenshot using the CGGetActiveDisplayList , CGDisplayCreateImage , NSImage:initWithCGImage methods. Returns the screenshot to the C2 via:```<img src='data:image/jpeg;base64,[base64 of screenshot]' width=800 height=500 /><br>```


- 2.) JHUHUGIT (AKA Trojan.Sofacy, Seduploader, JKEYSKW, Sednit, GAMEFISH, SofacyCarberp) - A JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key VK_SCREENSHOT, accessing the screenshot saved in the clipboard, and converting it to a JPG image.


### APT29
- 1.) Cobalt Strike - A user specifies a process PID and CPU architecture (x86 / x64) to inject the screenshot tool into. It can either take a single screenshot and exit or take one each time the beacon checks into the C2. Note that the Cobalt Strike manual recommends the use of Explorer.exe


### Turla
- 1.) Empire (AKA EmPyre, PowerShell Empire) - A user can on-demand request a screen capture of the desktop. By default it will save a .png image.
- 2.) Kazuar - Given command scrshot a screenshot of the entire visible screen is taken. The screenshot is saved to a specified filename or using a filename with the following format: [year]-[month]-[day]-[hour]-[minute]-[second]-[milisecond].jpg. The file is uploaded to the C2 server.

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk.
- Detection of screen capture is possible, but it depends on the method that the attackers use as the different screen capture methods are mostly tool- (or delivery method) specific. A solid recommendation for detecting some basic screen capture methods that save a screenshot to the compromised system is to monitor for image files written to disk.
- Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture
- Requires host log analysis of process & file creation
- Correlate screenshot file creation with seemingly unrelated Image or PID in event data

#### Analytic 1

  * **Information:** PowerSploit uses this exploitation module to take screenshots at regular intervals.

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Process : PowerShell AND commandLine : *Get-TimedScreenshot*```

#### Analytic 2

  * **Information:** A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** Kibana

  * **Notes:** Sysmon_24: ClipboardChange

  * **Query:** ```Event_id : 24 AND *.jpg```
  
#### Analytic 3

  * **Information:** Query for dangerous powershell modules such as those from PowerSploit. Invoke-PSImage encodes the bytes of a Powershell script into the pixels of a PNG image.

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** Sysmon_24: ClipboardChange

  * **Query:**```EventID : (800 OR 4103 OR 4104) AND "invoke-screencapture" OR "get-clipboard" OR "inject-shellcode" OR "get-keystrokes" OR "downloadstrings" OR "downloadfile" OR "Invoke-ReflectivePEInjection" OR "get-screenshot" OR "invoke-PSImage”```
  
#### Analytic 4

  * **Information:** Look for common image extensions on file creation events.

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** Sysmon_24: ClipboardChange

  * **Query:** ```Event_id : 11 AND image : (*.jpg or *.jpeg or *.bmp or *.tiff or *.png or *.gif)```
  




-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------
