2021-12-29 17:47:43 +01:00
|
|
|
title: Windows Screen Capture with CopyFromScreen
|
|
|
|
|
id: d4a11f63-2390-411c-9adf-d791fd152830
|
2023-10-17 14:35:26 +02:00
|
|
|
status: test
|
2021-12-29 17:47:43 +01:00
|
|
|
description: |
|
2022-07-11 14:11:53 +01:00
|
|
|
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.
|
|
|
|
|
Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
|
2021-12-29 17:47:43 +01:00
|
|
|
references:
|
2022-07-11 14:11:53 +01:00
|
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen
|
2021-12-29 17:47:43 +01:00
|
|
|
author: frack113
|
2024-08-12 12:02:50 +02:00
|
|
|
date: 2021-12-28
|
|
|
|
|
modified: 2022-07-07
|
2022-10-26 09:43:39 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.collection
|
|
|
|
|
- attack.t1113
|
2021-12-29 17:47:43 +01:00
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
category: ps_script
|
2023-01-04 17:49:32 +01:00
|
|
|
definition: 'Requirements: Script Block Logging must be enabled'
|
2021-12-29 17:47:43 +01:00
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
ScriptBlockText|contains: '.CopyFromScreen'
|
|
|
|
|
condition: selection
|
|
|
|
|
falsepositives:
|
2022-07-07 19:13:01 +01:00
|
|
|
- Unknown
|
2021-12-29 17:47:43 +01:00
|
|
|
level: medium
|
