atomics/T1113/T1113.yaml

attack_technique: T1113
display_name: Screen Capture
atomic_tests:
- name: Screencapture
  auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac
  description: |
    Use screencapture command to collect a full desktop screenshot
  supported_platforms:
  - macos
  input_arguments:
    output_file:
      description: Output file path
      type: path
      default: /tmp/T1113_desktop.png
  executor:
    command: |
      screencapture #{output_file}
    cleanup_command: |
      rm #{output_file}
    name: bash
- name: Screencapture (silent)
  auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4
  description: |
    Use screencapture command to collect a full desktop screenshot
  supported_platforms:
  - macos
  input_arguments:
    output_file:
      description: Output file path
      type: path
      default: /tmp/T1113_desktop.png
  executor:
    command: |
      screencapture -x #{output_file}
    cleanup_command: |
      rm #{output_file}
    name: bash
- name: X Windows Capture
  auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac
  description: |
    Use xwd command to collect a full desktop screenshot and review file with xwud
  supported_platforms:
  - linux
  input_arguments:
    output_file:
      description: Output file path
      type: path
      default: /tmp/T1113_desktop.xwd
    package_checker:
      description: Package checking command for linux. Debian system command- dpkg -s x11-apps
      type: string
      default: rpm -q xorg-x11-apps
    package_installer:
      description: Package installer command for linux. Debian system command- apt-get install x11-apps
      type: string
      default: yum install -y xorg-x11-apps
  dependency_executor_name: bash
  dependencies:
  - description: |
      Package with XWD and XWUD must exist on device
    prereq_command: |
      if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
    get_prereq_command: |
      sudo #{package_installer} 
  executor:
    command: |
      xwd -root -out #{output_file}
      xwud -in #{output_file}
    cleanup_command: |
      rm #{output_file}
    name: bash
- name: X Windows Capture (freebsd)
  auto_generated_guid: 562f3bc2-74e8-46c5-95c7-0e01f9ccc65c
  description: |
    Use xwd command to collect a full desktop screenshot and review file with xwud
  supported_platforms:
  - linux
  input_arguments:
    output_file:
      description: Output file path
      type: path
      default: /tmp/T1113_desktop.xwd
  dependency_executor_name: sh
  dependencies:
  - description: |
      Package with XWD and XWUD must exist on device
    prereq_command: |
      if [ -x "$(command -v xwd)" ]; then exit 0; else exit 1; fi
      if [ -x "$(command -v xwud)" ]; then exit 0; else exit 1; fi
    get_prereq_command: |
      pkg install -y xwd xwud 
  executor:
    command: |
      xwd -root -out #{output_file}
      xwud -in #{output_file}
    cleanup_command: |
      rm #{output_file}
    name: sh

- name: Capture Linux Desktop using Import Tool
  auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1
  description: |
    Use import command from ImageMagick to collect a full desktop screenshot
  supported_platforms:
  - linux
  input_arguments:
    output_file:
      description: Output file path
      type: path
      default: /tmp/T1113_desktop.png
  dependencies:
  - description: |
      ImageMagick must be installed
    prereq_command: |
      if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi
    get_prereq_command: |
      sudo apt install graphicsmagick-imagemagick-compat
  executor:
    command: |
      import -window root #{output_file}
    cleanup_command: |
      rm #{output_file}
    name: bash
- name: Capture Linux Desktop using Import Tool (freebsd)
  auto_generated_guid: 18397d87-38aa-4443-a098-8a48a8ca5d8d
  description: |
    Use import command from ImageMagick to collect a full desktop screenshot
  supported_platforms:
  - linux
  input_arguments:
    output_file:
      description: Output file path
      type: path
      default: /tmp/T1113_desktop.png
  dependencies:
  - description: |
      ImageMagick must be installed
    prereq_command: |
      if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi
    get_prereq_command: |
      pkg install -y ImageMagick7
  executor:
    command: |
      import -window root #{output_file}
    cleanup_command: |
      rm #{output_file}
    name: sh
- name: Windows Screencapture
  auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153
  description: |
    Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour
  supported_platforms:
  - windows
  input_arguments:
    output_file:
      description: Output file path
      type: path
      default: c:\temp\T1113_desktop.zip
    recording_time:
      description: Time to take screenshots
      type: integer
      default: 5
  executor:
    name: powershell
    elevation_required: false
    command: |
      cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
      Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
      [W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
      cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
    cleanup_command: |
      rm #{output_file} -ErrorAction Ignore
- name: Windows Screen Capture (CopyFromScreen)
  auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
  description: |
    Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.

    [Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
  supported_platforms:
  - windows
  input_arguments:
    output_file:
      description: Path where captured results will be placed
      type: path
      default: $env:TEMP\T1113.png
  executor:
    command: |
      Add-Type -AssemblyName System.Windows.Forms
      $screen = [Windows.Forms.SystemInformation]::VirtualScreen
      $bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height
      $graphic = [Drawing.Graphics]::FromImage($bitmap)
      $graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)
      $bitmap.Save("#{output_file}")
    cleanup_command: |
      Remove-Item #{output_file} -ErrorAction Ignore
    name: powershell
- name: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
  auto_generated_guid: 5a496325-0115-4274-8eb9-755b649ad0fb
  description: |-
    Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. 
    - https://learn.microsoft.com/en-us/windows/client-management/manage-recall
    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
  supported_platforms:
  - windows
  executor:
    command: |
      reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 0 /f
      reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /f
    cleanup_command: |
      reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
    name: powershell
    elevation_required: true
Revert "clean up" 2018-05-12 23:12:44 +02:00			`attack_technique: T1113`
			`display_name: Screen Capture`
			`atomic_tests:`
			`- name: Screencapture`
Generate docs from job=validate_atomics_generate_docs branch=master 2020-05-15 17:19:25 +00:00			`auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`description: \|`
			`Use screencapture command to collect a full desktop screenshot`
			`supported_platforms:`
Convert to Mitre ATT&CK sub-technique schema (#1056 ) 2020-06-17 12:55:46 -06:00			`- macos`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`input_arguments:`
			`output_file:`
removing descriptions of xxx (left over from template) (#546 ) 2019-09-03 14:11:18 -06:00			`description: Output file path`
fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323 ) 2023-02-13 17:10:37 -06:00			`type: path`
Added dependencies and fixed tests for linux and macOS (#973 ) 2020-05-06 09:22:48 -07:00			`default: /tmp/T1113_desktop.png`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`executor:`
Atomic test bug fixes/consistency improvements (#884 ) 2020-03-16 17:32:25 -04:00			`command: \|`
			`screencapture #{output_file}`
Added dependencies and fixed tests for linux and macOS (#973 ) 2020-05-06 09:22:48 -07:00			`cleanup_command: \|`
			`rm #{output_file}`
Convert to Mitre ATT&CK sub-technique schema (#1056 ) 2020-06-17 12:55:46 -06:00			`name: bash`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`- name: Screencapture (silent)`
Generate docs from job=validate_atomics_generate_docs branch=master 2020-05-15 17:19:25 +00:00			`auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`description: \|`
			`Use screencapture command to collect a full desktop screenshot`
			`supported_platforms:`
Convert to Mitre ATT&CK sub-technique schema (#1056 ) 2020-06-17 12:55:46 -06:00			`- macos`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`input_arguments:`
			`output_file:`
removing descriptions of xxx (left over from template) (#546 ) 2019-09-03 14:11:18 -06:00			`description: Output file path`
fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323 ) 2023-02-13 17:10:37 -06:00			`type: path`
Added dependencies and fixed tests for linux and macOS (#973 ) 2020-05-06 09:22:48 -07:00			`default: /tmp/T1113_desktop.png`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`executor:`
Atomic test bug fixes/consistency improvements (#884 ) 2020-03-16 17:32:25 -04:00			`command: \|`
			`screencapture -x #{output_file}`
Added dependencies and fixed tests for linux and macOS (#973 ) 2020-05-06 09:22:48 -07:00			`cleanup_command: \|`
			`rm #{output_file}`
Convert to Mitre ATT&CK sub-technique schema (#1056 ) 2020-06-17 12:55:46 -06:00			`name: bash`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`- name: X Windows Capture`
Generate docs from job=validate_atomics_generate_docs branch=master 2020-05-15 17:19:25 +00:00			`auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`description: \|`
			`Use xwd command to collect a full desktop screenshot and review file with xwud`
			`supported_platforms:`
Convert to Mitre ATT&CK sub-technique schema (#1056 ) 2020-06-17 12:55:46 -06:00			`- linux`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`input_arguments:`
			`output_file:`
removing descriptions of xxx (left over from template) (#546 ) 2019-09-03 14:11:18 -06:00			`description: Output file path`
fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323 ) 2023-02-13 17:10:37 -06:00			`type: path`
Added dependencies and fixed tests for linux and macOS (#973 ) 2020-05-06 09:22:48 -07:00			`default: /tmp/T1113_desktop.xwd`
T1113 x windows capture prereqs (#1382 ) 2021-02-09 12:51:53 -06:00			`package_checker:`
			`description: Package checking command for linux. Debian system command- dpkg -s x11-apps`
fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323 ) 2023-02-13 17:10:37 -06:00			`type: string`
T1113 x windows capture prereqs (#1382 ) 2021-02-09 12:51:53 -06:00			`default: rpm -q xorg-x11-apps`
			`package_installer:`
			`description: Package installer command for linux. Debian system command- apt-get install x11-apps`
fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323 ) 2023-02-13 17:10:37 -06:00			`type: string`
T1113 x windows capture prereqs (#1382 ) 2021-02-09 12:51:53 -06:00			`default: yum install -y xorg-x11-apps`
			`dependency_executor_name: bash`
			`dependencies:`
			`- description: \|`
			`Package with XWD and XWUD must exist on device`
			`prereq_command: \|`
			`if #{package_checker} > /dev/null; then exit 0; else exit 1; fi`
			`get_prereq_command: \|`
			`sudo #{package_installer}`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`executor:`
			`command: \|`
			`xwd -root -out #{output_file}`
			`xwud -in #{output_file}`
Added dependencies and fixed tests for linux and macOS (#973 ) 2020-05-06 09:22:48 -07:00			`cleanup_command: \|`
			`rm #{output_file}`
Convert to Mitre ATT&CK sub-technique schema (#1056 ) 2020-06-17 12:55:46 -06:00			`name: bash`
Add FreeBSD support 2023-05-08 11:06:08 -05:00			`- name: X Windows Capture (freebsd)`
Generate GUIDs from job=generate-docs branch=master [skip ci] 2023-11-02 00:56:30 +00:00			`auto_generated_guid: 562f3bc2-74e8-46c5-95c7-0e01f9ccc65c`
Add FreeBSD support 2023-05-08 11:06:08 -05:00			`description: \|`
			`Use xwd command to collect a full desktop screenshot and review file with xwud`
			`supported_platforms:`
FreeBSD changes (#2585 ) 2023-11-06 17:41:43 -05:00			`- linux`
Add FreeBSD support 2023-05-08 11:06:08 -05:00			`input_arguments:`
			`output_file:`
			`description: Output file path`
			`type: path`
			`default: /tmp/T1113_desktop.xwd`
			`dependency_executor_name: sh`
			`dependencies:`
			`- description: \|`
			`Package with XWD and XWUD must exist on device`
			`prereq_command: \|`
			`if [ -x "$(command -v xwd)" ]; then exit 0; else exit 1; fi`
			`if [ -x "$(command -v xwud)" ]; then exit 0; else exit 1; fi`
			`get_prereq_command: \|`
			`pkg install -y xwd xwud`
			`executor:`
			`command: \|`
			`xwd -root -out #{output_file}`
			`xwud -in #{output_file}`
			`cleanup_command: \|`
			`rm #{output_file}`
			`name: sh`

Update T1113.yaml (#1256 ) 2020-10-13 20:21:21 -06:00			`- name: Capture Linux Desktop using Import Tool`
Generate docs from job=validate_atomics_generate_docs branch=master 2020-05-15 17:19:25 +00:00			`auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`description: \|`
Update T1113.yaml (#1256 ) 2020-10-13 20:21:21 -06:00			`Use import command from ImageMagick to collect a full desktop screenshot`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`supported_platforms:`
Convert to Mitre ATT&CK sub-technique schema (#1056 ) 2020-06-17 12:55:46 -06:00			`- linux`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`input_arguments:`
			`output_file:`
removing descriptions of xxx (left over from template) (#546 ) 2019-09-03 14:11:18 -06:00			`description: Output file path`
fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323 ) 2023-02-13 17:10:37 -06:00			`type: path`
Added dependencies and fixed tests for linux and macOS (#973 ) 2020-05-06 09:22:48 -07:00			`default: /tmp/T1113_desktop.png`
Update T1113.yaml (#1256 ) 2020-10-13 20:21:21 -06:00			`dependencies:`
			`- description: \|`
			`ImageMagick must be installed`
			`prereq_command: \|`
fix for install and check (#1452 ) 2021-04-29 16:44:35 -06:00			`if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi`
Update T1113.yaml (#1256 ) 2020-10-13 20:21:21 -06:00			`get_prereq_command: \|`
fix prereq for screenshot test (#1805 ) 2022-03-09 14:02:31 -07:00			`sudo apt install graphicsmagick-imagemagick-compat`
Revert "clean up" 2018-05-12 23:12:44 +02:00			`executor:`
Atomic test bug fixes/consistency improvements (#884 ) 2020-03-16 17:32:25 -04:00			`command: \|`
			`import -window root #{output_file}`
Added dependencies and fixed tests for linux and macOS (#973 ) 2020-05-06 09:22:48 -07:00			`cleanup_command: \|`
			`rm #{output_file}`
Convert to Mitre ATT&CK sub-technique schema (#1056 ) 2020-06-17 12:55:46 -06:00			`name: bash`
Add FreeBSD support 2023-05-08 11:06:08 -05:00			`- name: Capture Linux Desktop using Import Tool (freebsd)`
Generate GUIDs from job=generate-docs branch=master [skip ci] 2023-11-02 00:56:30 +00:00			`auto_generated_guid: 18397d87-38aa-4443-a098-8a48a8ca5d8d`
Add FreeBSD support 2023-05-08 11:06:08 -05:00			`description: \|`
			`Use import command from ImageMagick to collect a full desktop screenshot`
			`supported_platforms:`
FreeBSD changes (#2585 ) 2023-11-06 17:41:43 -05:00			`- linux`
Add FreeBSD support 2023-05-08 11:06:08 -05:00			`input_arguments:`
			`output_file:`
			`description: Output file path`
			`type: path`
			`default: /tmp/T1113_desktop.png`
			`dependencies:`
			`- description: \|`
			`ImageMagick must be installed`
			`prereq_command: \|`
			`if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi`
			`get_prereq_command: \|`
			`pkg install -y ImageMagick7`
			`executor:`
			`command: \|`
			`import -window root #{output_file}`
			`cleanup_command: \|`
			`rm #{output_file}`
			`name: sh`
Merge OSCD branch into master (#1273 ) 2020-10-29 22:54:55 -06:00			`- name: Windows Screencapture`
			`auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153`
			`description: \|`
			`Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour`
			`supported_platforms:`
fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323 ) 2023-02-13 17:10:37 -06:00			`- windows`
Merge OSCD branch into master (#1273 ) 2020-10-29 22:54:55 -06:00			`input_arguments:`
			`output_file:`
			`description: Output file path`
fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323 ) 2023-02-13 17:10:37 -06:00			`type: path`
Merge OSCD branch into master (#1273 ) 2020-10-29 22:54:55 -06:00			`default: c:\temp\T1113_desktop.zip`
			`recording_time:`
			`description: Time to take screenshots`
Atomic Red Team - JSON Schema Validation CI (#2303 ) 2023-05-12 16:33:47 -05:00			`type: integer`
Merge OSCD branch into master (#1273 ) 2020-10-29 22:54:55 -06:00			`default: 5`
			`executor:`
			`name: powershell`
			`elevation_required: false`
			`command: \|`
			`cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12`
			`Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;`
			`[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);`
			`cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"`
			`cleanup_command: \|`
T1113 x windows capture prereqs (#1382 ) 2021-02-09 12:51:53 -06:00			`rm #{output_file} -ErrorAction Ignore`
Add T1113 test for CopyFromScreen API (#1610 ) 2021-08-23 23:06:58 +02:00			`- name: Windows Screen Capture (CopyFromScreen)`
Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] 2021-08-23 21:07:15 +00:00			`auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187`
Add T1113 test for CopyFromScreen API (#1610 ) 2021-08-23 23:06:58 +02:00			`description: \|`
			`Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.`

			`[Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen`
			`supported_platforms:`
			`- windows`
			`input_arguments:`
			`output_file:`
			`description: Path where captured results will be placed`
fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323 ) 2023-02-13 17:10:37 -06:00			`type: path`
Add T1113 test for CopyFromScreen API (#1610 ) 2021-08-23 23:06:58 +02:00			`default: $env:TEMP\T1113.png`
			`executor:`
			`command: \|`
			`Add-Type -AssemblyName System.Windows.Forms`
			`$screen = [Windows.Forms.SystemInformation]::VirtualScreen`
			`$bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height`
			`$graphic = [Drawing.Graphics]::FromImage($bitmap)`
			`$graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)`
			`$bitmap.Save("#{output_file}")`
			`cleanup_command: \|`
			`Remove-Item #{output_file} -ErrorAction Ignore`
			`name: powershell`
Update T1113.yaml (#2827 ) 2024-07-10 20:35:09 +05:30			`- name: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted`
Generated docs from job=generate-docs branch=master [ci skip] 2024-07-10 15:06:29 +00:00			`auto_generated_guid: 5a496325-0115-4274-8eb9-755b649ad0fb`
Update T1113.yaml (#2827 ) 2024-07-10 20:35:09 +05:30			`description: \|-`
			`Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.`
			`- https://learn.microsoft.com/en-us/windows/client-management/manage-recall`
			`- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis`
			`supported_platforms:`
			`- windows`
			`executor:`
			`command: \|`
Fix: mistake in T1113-9 (#3073 ) 2025-03-06 08:49:52 +08:00			`reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 0 /f`
Update T1113.yaml (#2827 ) 2024-07-10 20:35:09 +05:30			`reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /f`
			`cleanup_command: \|`
			`reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f`
			`name: powershell`
			`elevation_required: true`