| sigma |
lnx_auditd_screencapture_import.yml |
description: Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed. |
DRL 1.0 |
| sigma |
lnx_auditd_screencapture_import.yml |
- Legitimate use of screenshot utility |
DRL 1.0 |
| sigma |
lnx_auditd_screencaputre_xwd.yml |
description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations |
DRL 1.0 |
| sigma |
lnx_auditd_screencaputre_xwd.yml |
- Legitimate use of screenshot utility |
DRL 1.0 |
| sigma |
proc_creation_macos_screencapture.yml |
- https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py |
DRL 1.0 |
| sigma |
file_event_win_powershell_exploit_scripts.yml |
- '\Get-Screenshot.ps1' |
DRL 1.0 |
| sigma |
posh_ps_malicious_commandlets.yml |
- 'Get-Screenshot' |
DRL 1.0 |
| sigma |
proc_creation_win_proc_wrong_parent.yml |
- https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/ |
DRL 1.0 |
| malware-ioc |
keydnap |
\| 78ba1152ef3883e63f10c3a85cbf00f2bb305a6a \| screenshot_2016-06-28-01.jpg \| 2016-06-28 \| hxxp://freesafesoft.com/icloudsyncd \| BlackHat-TDS Panel screenshot |
© ESET 2014-2018 |
| malware-ioc |
keydnap |
\| 773a82343367b3d09965f6f09cc9887e7f8f01bf \| screenshot.jpg \| 2016-05-07 \| hxxp://dev.aneros.com/media/icloudsyncd \| Firefox 20 about screenshot |
© ESET 2014-2018 |
| malware-ioc |
rtm |
screenshot |
© ESET 2014-2018 |
| atomic-red-team |
T1113.md |
<blockquote>Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1113.md |
Use screencapture command to collect a full desktop screenshot |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1113.md |
Use xwd command to collect a full desktop screenshot and review file with xwud |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1113.md |
Use import command from ImageMagick to collect a full desktop screenshot |
MIT License. © 2018 Red Canary |
| signature-base |
apt_freemilk.yar |
$s1 = “failed to take the screenshot. err: %d” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_fvey_shadowbroker_jan17.yar |
Identifier: ShadowBroker Screenshot Rules |
CC BY-NC 4.0 |
| signature-base |
crime_fireball.yar |
$s2 = “ScreenShot” fullword wide |
CC BY-NC 4.0 |
| signature-base |
gen_crimson_rat.yar |
$x5 = “/screen » ScreenShot from target PC” fullword wide |
CC BY-NC 4.0 |
| signature-base |
gen_rats_malwareconfig.yar |
$string4 = “screens\screenshot” wide |
CC BY-NC 4.0 |
| stockpile |
316251ed-6a28-4013-812b-ddf5b5b007f8.yml |
- source: host.screenshot.png |
Apache-2.0 |
| stockpile |
316251ed-6a28-4013-812b-ddf5b5b007f8.yml |
function screenshot([Drawing.Rectangle]$bounds, $path) { |
Apache-2.0 |
| stockpile |
316251ed-6a28-4013-812b-ddf5b5b007f8.yml |
$dest = "$HOME\Desktop\screenshot.png"; |
Apache-2.0 |
| stockpile |
316251ed-6a28-4013-812b-ddf5b5b007f8.yml |
screenshot $bounds $dest; |
Apache-2.0 |
| stockpile |
316251ed-6a28-4013-812b-ddf5b5b007f8.yml |
$filePath = "$HOME\Desktop\screenshot.png"; |
Apache-2.0 |