CircleCI Atomic Red Team doc generator
107 lines
2.8 KiB
Markdown
107 lines
2.8 KiB
Markdown
# T1113 - Screen Capture
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1113)
|
|
<blockquote>Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.
|
|
|
|
===Mac===
|
|
|
|
On OSX, the native command <code>screencapture</code> is used to capture screenshots.
|
|
|
|
===Linux===
|
|
|
|
On Linux, there is the native command <code>xwd</code>. (Citation: Antiquated Mac Malware)
|
|
|
|
Detection: Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.
|
|
|
|
Platforms: Linux, macOS, Windows
|
|
|
|
Data Sources: API monitoring, Process monitoring, File monitoring</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Screencapture](#atomic-test-1---screencapture)
|
|
|
|
- [Atomic Test #2 - Screencapture (silent)](#atomic-test-2---screencapture-silent)
|
|
|
|
- [Atomic Test #3 - X Windows Capture](#atomic-test-3---x-windows-capture)
|
|
|
|
- [Atomic Test #4 - Import](#atomic-test-4---import)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Screencapture
|
|
Use screencapture command to collect a full desktop screenshot
|
|
|
|
**Supported Platforms:** macOS
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| output_file | xxx
|
|
| Path | desktop.png|
|
|
|
|
#### Run it with `bash`!
|
|
```
|
|
screencapture
|
|
```
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Screencapture (silent)
|
|
Use screencapture command to collect a full desktop screenshot
|
|
|
|
**Supported Platforms:** macOS
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| output_file | xxx
|
|
| Path | desktop.png|
|
|
|
|
#### Run it with `bash`!
|
|
```
|
|
screencapture -x
|
|
```
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - X Windows Capture
|
|
Use xwd command to collect a full desktop screenshot and review file with xwud
|
|
|
|
**Supported Platforms:** Linux
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| output_file | xxx
|
|
| Path | desktop.xwd|
|
|
|
|
#### Run it with `bash`!
|
|
```
|
|
xwd -root -out #{output_file}
|
|
xwud -in #{output_file}
|
|
```
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #4 - Import
|
|
Use import command to collect a full desktop screenshot
|
|
|
|
**Supported Platforms:** Linux
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| output_file | xxx
|
|
| Path | desktop.png|
|
|
|
|
#### Run it with `bash`!
|
|
```
|
|
import -window root
|
|
```
|
|
<br/>
|