CircleCI Atomic Red Team doc generator
4.7 KiB
4.7 KiB
T1113 - Screen Capture
Description from ATT&CK
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such asCopyFromScreen,xwd, orscreencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
Atomic Tests
Atomic Test #1 - Screencapture
Use screencapture command to collect a full desktop screenshot
Supported Platforms: macOS
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | Path | /tmp/T1113_desktop.png |
Attack Commands: Run with bash!
screencapture #{output_file}
Cleanup Commands:
rm #{output_file}
Atomic Test #2 - Screencapture (silent)
Use screencapture command to collect a full desktop screenshot
Supported Platforms: macOS
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | Path | /tmp/T1113_desktop.png |
Attack Commands: Run with bash!
screencapture -x #{output_file}
Cleanup Commands:
rm #{output_file}
Atomic Test #3 - X Windows Capture
Use xwd command to collect a full desktop screenshot and review file with xwud
Supported Platforms: Linux
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | Path | /tmp/T1113_desktop.xwd |
| package_checker | Package checking command for linux. Debian system command- dpkg -s x11-apps | string | rpm -q xorg-x11-apps |
| package_installer | Package installer command for linux. Debian system command- apt-get install x11-apps | string | yum install -y xorg-x11-apps |
Attack Commands: Run with bash!
xwd -root -out #{output_file}
xwud -in #{output_file}
Cleanup Commands:
rm #{output_file}
Dependencies: Run with bash!
Description: Package with XWD and XWUD must exist on device
Check Prereq Commands:
if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
Get Prereq Commands:
sudo #{package_installer}
Atomic Test #4 - Capture Linux Desktop using Import Tool
Use import command from ImageMagick to collect a full desktop screenshot
Supported Platforms: Linux
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | Path | /tmp/T1113_desktop.png |
Attack Commands: Run with bash!
import -window root #{output_file}
Cleanup Commands:
rm #{output_file}
Dependencies: Run with bash!
Description: ImageMagick must be installed
Check Prereq Commands:
if import --version; then exit 0; else exit 1; fi
Get Prereq Commands:
sudo apt-get -y install imagemagick
Atomic Test #5 - Windows Screencapture
Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour
Supported Platforms: Windows
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | Path | c:\temp\T1113_desktop.zip |
| recording_time | Time to take screenshots | String | 5 |
Attack Commands: Run with powershell!
cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
Cleanup Commands:
rm #{output_file} -ErrorAction Ignore