CircleCI Atomic Red Team doc generator
109 lines
2.3 KiB
Markdown
109 lines
2.3 KiB
Markdown
# T1113 - Screen Capture
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1113)
|
|
<blockquote>Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.
|
|
|
|
### Mac
|
|
|
|
On OSX, the native command <code>screencapture</code> is used to capture screenshots.
|
|
|
|
### Linux
|
|
|
|
On Linux, there is the native command <code>xwd</code>. (Citation: Antiquated Mac Malware)</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Screencapture](#atomic-test-1---screencapture)
|
|
|
|
- [Atomic Test #2 - Screencapture (silent)](#atomic-test-2---screencapture-silent)
|
|
|
|
- [Atomic Test #3 - X Windows Capture](#atomic-test-3---x-windows-capture)
|
|
|
|
- [Atomic Test #4 - Import](#atomic-test-4---import)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Screencapture
|
|
Use screencapture command to collect a full desktop screenshot
|
|
|
|
**Supported Platforms:** macOS
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| output_file | Output file path | Path | desktop.png|
|
|
|
|
#### Run it with `bash`!
|
|
```
|
|
screencapture
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Screencapture (silent)
|
|
Use screencapture command to collect a full desktop screenshot
|
|
|
|
**Supported Platforms:** macOS
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| output_file | Output file path | Path | desktop.png|
|
|
|
|
#### Run it with `bash`!
|
|
```
|
|
screencapture -x
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - X Windows Capture
|
|
Use xwd command to collect a full desktop screenshot and review file with xwud
|
|
|
|
**Supported Platforms:** Linux
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| output_file | Output file path | Path | desktop.xwd|
|
|
|
|
#### Run it with `bash`!
|
|
```
|
|
xwd -root -out #{output_file}
|
|
xwud -in #{output_file}
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #4 - Import
|
|
Use import command to collect a full desktop screenshot
|
|
|
|
**Supported Platforms:** Linux
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| output_file | Output file path | Path | desktop.png|
|
|
|
|
#### Run it with `bash`!
|
|
```
|
|
import -window root
|
|
```
|
|
|
|
|
|
|
|
<br/>
|