- Tactics
- Collection
- Platforms
- Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1113
Description
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Collection tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1005 - Data from Local System
- T1025 - Data from Removable Media
- T1039 - Data from Network Shared Drive
- T1056 - Input Capture
- T1074 - Data Staged
- T1114 - Email Collection
- T1115 - Clipboard Data
- T1119 - Automated Collection
- T1123 - Audio Capture
- T1125 - Video Capture
- T1185 - Browser Session Hijacking
- T1213 - Data from Information Repositories