CircleCI Atomic Red Team doc generator
2.3 KiB
2.3 KiB
T1113 - Screen Capture
Description from ATT&CK
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.Mac
On OSX, the native command
screencaptureis used to capture screenshots.Linux
On Linux, there is the native command
xwd. (Citation: Antiquated Mac Malware)
Atomic Tests
Atomic Test #1 - Screencapture
Use screencapture command to collect a full desktop screenshot
Supported Platforms: macOS
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | Path | desktop.png |
Run it with bash!
screencapture
Atomic Test #2 - Screencapture (silent)
Use screencapture command to collect a full desktop screenshot
Supported Platforms: macOS
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | Path | desktop.png |
Run it with bash!
screencapture -x
Atomic Test #3 - X Windows Capture
Use xwd command to collect a full desktop screenshot and review file with xwud
Supported Platforms: Linux
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | Path | desktop.xwd |
Run it with bash!
xwd -root -out #{output_file}
xwud -in #{output_file}
Atomic Test #4 - Import
Use import command to collect a full desktop screenshot
Supported Platforms: Linux
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | Path | desktop.png |
Run it with bash!
import -window root