Unusual use of screen capture APIs (e.g., CopyFromScreen) or command-line tools to write image files to disk.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| ParentProcessName | Depends on allowed parent process behaviors in the environment (e.g., explorer.exe vs powershell.exe) |
| TimeWindow | Can tune alert thresholds for rapid or scheduled screenshots (e.g., interval-based screen capture) |
| ImageExtension | To detect file writes (e.g., .bmp, .png) that deviate from typical user activity |
Invocation of built-in commands like screencapture or use of undocumented APIs from suspicious parent processes.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process: exec |
| Field | Description |
|---|---|
| CommandLineRegex | Customize regex for flag detection (e.g., `screencapture -x`) based on usage patterns |
| ParentProcessName | May vary depending on expected screencapture behavior (Terminal vs remote agent) |
Use of tools like xwd or import to generate screenshots, especially under non-GUI parent processes.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| TerminalSession | Filter based on TTY sessions or remote terminal usage |
| ExecutablePath | Match against known location of xwd/import binaries or renamed variants |