2020-10-14 00:51:55 -05:00
|
|
|
title: Screen Capture - macOS
|
2020-10-14 00:54:51 -05:00
|
|
|
id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
|
2021-11-27 11:33:14 +01:00
|
|
|
status: test
|
2020-10-14 00:54:51 -05:00
|
|
|
description: Detects attempts to use screencapture to collect macOS screenshots
|
2020-10-14 00:51:55 -05:00
|
|
|
references:
|
2022-07-07 15:24:15 +01:00
|
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
|
|
|
|
|
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py
|
2022-10-25 09:30:05 +02:00
|
|
|
author: remotephone, oscd.community
|
2024-08-12 12:02:50 +02:00
|
|
|
date: 2020-10-13
|
|
|
|
|
modified: 2021-11-27
|
2022-10-25 09:30:05 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.collection
|
|
|
|
|
- attack.t1113
|
2020-10-14 00:51:55 -05:00
|
|
|
logsource:
|
2022-07-07 15:24:15 +01:00
|
|
|
product: macos
|
|
|
|
|
category: process_creation
|
2020-10-14 00:51:55 -05:00
|
|
|
detection:
|
2022-07-07 15:24:15 +01:00
|
|
|
selection:
|
|
|
|
|
Image: '/usr/sbin/screencapture'
|
|
|
|
|
condition: selection
|
2020-10-14 00:51:55 -05:00
|
|
|
falsepositives:
|
2022-07-07 15:24:15 +01:00
|
|
|
- Legitimate user activity taking screenshots
|
2020-10-14 00:51:55 -05:00
|
|
|
level: low
|
