1. Home
  2. Techniques
  3. ICS
  4. Screen Capture

Screen Capture

Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. [1] Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.

ID: T0852
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: None
Version: 1.0
Created: 21 May 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G1000 ALLANITE

ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs. [2] [1]
G0064 APT33

APT33 utilize backdoors capable of capturing screenshots once installed on a system. [3][4]

Targeted Assets

ID Asset
A0002 Human-Machine Interface (HMI)
A0012 Jump Host
A0001 Workstation

Mitigations

ID Mitigation Description
M0816 Mitigation Limited or Not Effective

Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0751 Detection of Screen Capture AN1883

Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.
Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.[5][6] The data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.

References

  1. ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23
  2. Dragos Allanite Retrieved. 2019/10/27
  3. Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02
  1. Junnosuke Yagi 2017, March 07 Trojan.Stonedrill Retrieved. 2019/12/05
  2. Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.
  3. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.