Skip to content

Latest commit

 

History

History
108 lines (65 loc) · 2.3 KB

T1113.md

File metadata and controls

108 lines (65 loc) · 2.3 KB

T1113 - Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.

Mac

On OSX, the native command screencapture is used to capture screenshots.

Linux

On Linux, there is the native command xwd. (Citation: Antiquated Mac Malware)

Atomic Tests


Atomic Test #1 - Screencapture

Use screencapture command to collect a full desktop screenshot

Supported Platforms: macOS

Inputs

Name Description Type Default Value
output_file Output file path Path desktop.png

Run it with bash!

screencapture


Atomic Test #2 - Screencapture (silent)

Use screencapture command to collect a full desktop screenshot

Supported Platforms: macOS

Inputs

Name Description Type Default Value
output_file Output file path Path desktop.png

Run it with bash!

screencapture -x


Atomic Test #3 - X Windows Capture

Use xwd command to collect a full desktop screenshot and review file with xwud

Supported Platforms: Linux

Inputs

Name Description Type Default Value
output_file Output file path Path desktop.xwd

Run it with bash!

xwd -root -out #{output_file}
xwud -in #{output_file}


Atomic Test #4 - Import

Use import command to collect a full desktop screenshot

Supported Platforms: Linux

Inputs

Name Description Type Default Value
output_file Output file path Path desktop.png

Run it with bash!

import -window root