Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such asCopyFromScreen,xwd, orscreencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
Use screencapture command to collect a full desktop screenshot
Supported Platforms: macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | Path | /tmp/T1113_desktop.png |
screencapture #{output_file}rm #{output_file}Use screencapture command to collect a full desktop screenshot
Supported Platforms: macOS
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | Path | /tmp/T1113_desktop.png |
screencapture -x #{output_file}rm #{output_file}Use xwd command to collect a full desktop screenshot and review file with xwud
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | Path | /tmp/T1113_desktop.xwd |
xwd -root -out #{output_file}
xwud -in #{output_file}rm #{output_file}Use import command from ImageMagick to collect a full desktop screenshot
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | Path | /tmp/T1113_desktop.png |
import -window root #{output_file}rm #{output_file}if import --version; then exit 0; else exit 1; fi sudo apt-get install imagemagick