Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen
, xwd
, or screencapture
.[1][2]
ID | Name | Description |
---|---|---|
S0331 | Agent Tesla |
Agent Tesla can capture screenshots of the victim’s desktop.[3][4][5][6][7] |
S0622 | AppleSeed |
AppleSeed can take screenshots on a compromised host by calling a series of APIs.[8] |
G0007 | APT28 |
APT28 has used tools to take screenshots from victims.[9][10][11] |
G0087 | APT39 |
APT39 has used a screen capture utility to take screenshots on a compromised host.[12][13] |
S0456 | Aria-body |
Aria-body has the ability to capture screenshots on compromised hosts.[14] |
S0438 | Attor |
Attor's has a plugin that captures screenshots of the target applications.[15] |
S0344 | Azorult |
Azorult can capture screenshots of the victim’s machines.[16] |
S0128 | BADNEWS |
BADNEWS has a command to take a screenshot and send it to the C2 server.[17][18] |
S0337 | BadPatch |
BadPatch captures screenshots in .jpg format and then exfiltrates them.[19] |
S0234 | Bandook |
Bandook is capable of taking an image of and uploading the current desktop.[20][21] |
S0017 | BISCUIT |
BISCUIT has a command to periodically take screenshots of the system.[22] |
S0089 | BlackEnergy |
BlackEnergy is capable of taking screenshots.[23] |
S0657 | BLUELIGHT |
BLUELIGHT has captured a screenshot of the display every 30 seconds for the first 5 minutes after initiating a C2 loop, and then once every five minutes thereafter.[24] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used a tool to capture screenshots.[25][26] |
S0454 | Cadelspy |
Cadelspy has the ability to capture screenshots and webcam photos.[27] |
S0351 | Cannon | |
S0030 | Carbanak |
Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.[29] |
S0484 | Carberp |
Carberp can capture display screenshots with the screens_dll.dll plugin.[30] |
S0348 | Cardinal RAT |
Cardinal RAT can capture screenshots.[31] |
S0261 | Catchamas |
Catchamas captures screenshots based on specific keywords in the window’s title.[32] |
S0631 | Chaes | |
S0023 | CHOPSTICK | |
S0154 | Cobalt Strike |
Cobalt Strike's Beacon payload is capable of capturing screenshots.[34][35][36] |
S0338 | Cobian RAT |
Cobian RAT has a feature to perform screen capture.[37] |
S0591 | ConnectWise |
ConnectWise can take screenshots on remote hosts.[38] |
S0050 | CosmicDuke |
CosmicDuke takes periodic screenshots and exfiltrates them.[39] |
S0115 | Crimson |
Crimson contains a command to perform screen captures.[40][41] |
S0235 | CrossRAT | |
G0070 | Dark Caracal |
Dark Caracal took screenshots using their Windows malware.[20] |
S0187 | Daserf | |
S0021 | Derusbi | |
S0213 | DOGCALL |
DOGCALL is capable of capturing screenshots of the victim's machine.[44][45] |
G0074 | Dragonfly 2.0 |
Dragonfly 2.0 has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).[46][47] |
S0062 | DustySky | |
S0593 | ECCENTRICBANDWAGON |
ECCENTRICBANDWAGON can capture screenshots and store them locally.[49] |
S0363 | Empire |
Empire is capable of capturing screenshots on Windows and macOS systems.[50] |
S0152 | EvilGrab | |
G0046 | FIN7 | |
S0182 | FinFisher |
FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.[53][54] |
S0143 | Flame |
Flame can take regular screenshots when certain applications are open that are sent to the command and control server.[55] |
S0277 | FruitFly | |
G0047 | Gamaredon Group |
Gamaredon Group's malware can take screenshots of the compromised computer every minute.[57] |
S0032 | gh0st RAT | |
G0115 | GOLD SOUTHFIELD |
GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines.[59] |
S0417 | GRIFFON |
GRIFFON has used a screenshot module that can be used to take a screenshot of the remote system.[60] |
G0043 | Group5 |
Malware used by Group5 is capable of watching the victim's screen.[61] |
S0151 | HALFBAKED | |
S0431 | HotCroissant |
HotCroissant has the ability to do real time screen viewing on an infected host.[63] |
S0203 | Hydraq |
Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.[64] |
S0398 | HyperBro | |
S0260 | InvisiMole |
InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.[66][67] |
S0163 | Janicab |
Janicab captured screenshots and sent them out to a C2 server.[68][69] |
S0044 | JHUHUGIT |
A JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.[70][71] |
S0283 | jRAT |
jRAT has the capability to take screenshots of the victim’s machine.[72][73] |
S0088 | Kasidet |
Kasidet has the ability to initiate keylogging and screen captures.[74] |
S0265 | Kazuar | |
S0387 | KeyBoy | |
S0271 | KEYMARBLE |
KEYMARBLE can capture screenshots of the victim’s machine.[77] |
S0437 | Kivars |
Kivars has the ability to capture screenshots on the infected host.[78] |
S0356 | KONNI | |
S0582 | LookBack | |
S0409 | Machete | |
S0282 | MacSpy |
MacSpy can capture screenshots of the desktop over multiple monitors.[56] |
G0059 | Magic Hound |
Magic Hound malware can take a screenshot and upload the file to its C2 server.[85] |
S0652 | MarkiRAT |
MarkiRAT can capture screenshots that are initially saved as ‘scr.jpg’.[86] |
S0167 | Matryoshka |
Matryoshka is capable of performing screen captures.[87][88] |
S0455 | Metamorfo |
Metamorfo can collect screenshots of the victim’s machine.[89][90] |
S0339 | Micropsia |
Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API.[91] |
G0069 | MuddyWater |
MuddyWater has used malware that can capture screenshots of the victim’s machine.[92] |
S0198 | NETWIRE | |
S0385 | njRAT | |
S0644 | ObliqueRAT |
ObliqueRAT can capture a screenshot of the current screen.[98] |
S0340 | Octopus |
Octopus can capture screenshots of the victims’ machine.[99][100][101] |
G0049 | OilRig |
OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.[102] |
S0643 | Peppy | |
S0013 | PlugX | |
S0428 | PoetRAT | |
S0216 | POORAIM | |
S0194 | PowerSploit |
PowerSploit's |
S0223 | POWERSTATS |
POWERSTATS can retrieve screenshots from compromised hosts.[108][109] |
S0184 | POWRUNER | |
S0113 | Prikormka |
Prikormka contains a module that captures screenshots of the victim's desktop.[111] |
S0279 | Proton |
Proton captures the content of the desktop with the screencapture binary.[56] |
S0147 | Pteranodon |
Pteranodon can capture screenshots at a configurable interval.[112] |
S0192 | Pupy |
Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.[113] |
S0629 | RainyDay | |
S0458 | Ramsay |
Ramsay can take screenshots every 30 seconds as well as when an external removable storage device is connected.[115] |
S0495 | RDAT | |
S0153 | RedLeaves | |
S0332 | Remcos |
Remcos takes automated screenshots of the infected machine.[119] |
S0375 | Remexi | |
S0592 | RemoteUtilities |
RemoteUtilities can take screenshots on a compromised host.[121] |
S0379 | Revenge RAT |
Revenge RAT has a plugin for screen capture.[122] |
S0270 | RogueRobin |
RogueRobin has a command named |
S0240 | ROKRAT |
ROKRAT captures screenshots of the infected system using the gdi32 library.[124][125][126][127] |
S0090 | Rover |
Rover takes screenshots of the compromised system's desktop and saves them to |
S0148 | RTM | |
S0546 | SharpStage |
SharpStage has the ability to capture the victim's screen.[131][132] |
S0217 | SHUTTERSPEED |
SHUTTERSPEED can capture screenshots.[44] |
G0091 | Silence | |
S0633 | Sliver |
Sliver can take screenshots of the victim’s active display.[135] |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA has taken a screenshot of a victim's desktop, named it "Filter3.jpg", and stored it in the local directory.[136] |
S0649 | SMOKEDHAM |
SMOKEDHAM can capture screenshots of the victim’s desktop.[137][138] |
S0273 | Socksbot | |
S0380 | StoneDrill |
StoneDrill can take screenshots.[140] |
S0098 | T9000 |
T9000 can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files.[141] |
S0467 | TajMahal |
TajMahal has the ability to take screenshots on an infected host including capturing content from windows of instant messaging applications.[142] |
S0004 | TinyZBot | |
S0094 | Trojan.Karagany |
Trojan.Karagany can take a desktop screenshot and save the file into |
S0647 | Turian | |
S0199 | TURNEDUP | |
S0275 | UPPERCUT |
UPPERCUT can capture desktop screenshots in the PNG format and send them to the C2 server.[148] |
S0386 | Ursnif | |
S0476 | Valak |
Valak has the ability to take screenshots on a compromised host.[151] |
S0257 | VERMIN |
VERMIN can perform screen captures of the victim’s machine.[152] |
S0161 | XAgentOSX |
XAgentOSX contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods.[10] |
S0658 | XCSSET |
XCSSET saves a screen capture of the victim's system with a numbered filename and |
S0248 | yty | |
S0251 | Zebrocy |
A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format.[28][155][156][157][158][159] |
S0330 | Zeus Panda |
Zeus Panda can take screenshots of the victim’s machine.[160] |
S0086 | ZLib |
ZLib has the ability to obtain screenshots of the compromised system.[161] |
S0412 | ZxShell |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | OS API Execution |
Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.