Register to stream ATT&CKcon 2.0 October 29-30

Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.

Mac

On OSX, the native command screencapture is used to capture screenshots.

Linux

On Linux, there is the native command xwd. [1]

ID: T1113
Tactic: Collection
Platform: Linux, macOS, Windows
Data Sources: API monitoring, Process monitoring, File monitoring
Version: 1.0

Procedure Examples

Name Description
Agent Tesla Agent Tesla can capture screenshots of the victim’s desktop. [63] [64] [65] [66]
APT28 APT28 has used tools to take screenshots from victims. [93] [49]
Azorult Azorult can capture screenshots of the victim’s machines. [78]
BADNEWS BADNEWS has a command to take a screenshot and send it to the C2 server. [34] [35]
BadPatch BadPatch captures screenshots in .jpg format and then exfiltrates them. [69]
Bandook Bandook is capable of taking an image of and uploading the current desktop. [12]
BISCUIT BISCUIT has a command to periodically take screenshots of the system. [76]
BlackEnergy BlackEnergy is capable of taking screenshots. [11]
BRONZE BUTLER BRONZE BUTLER has used a tool to capture screenshots. [27]
Cannon Cannon can take a screenshot of the desktop. [23]
Carbanak Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server. [50]
Cardinal RAT Cardinal RAT can capture screenshots. [77]
Catchamas Catchamas captures screenshots based on specific keywords in the window’s title. [75]
CHOPSTICK CHOPSTICK has the capability to capture screenshots. [49]
Cobalt Strike Cobalt Strike's "beacon" payload is capable of capturing screen shots. [2]
Cobian RAT Cobian RAT has a feature to perform screen capture. [52]
CosmicDuke CosmicDuke takes periodic screenshots and exfiltrates them. [18]
Crimson Crimson contains a command to perform screen captures. [43]
CrossRAT CrossRAT is capable of taking screen captures. [12]
Dark Caracal Dark Caracal took screen shots using their Windows malware. [12]
Daserf Daserf can take screenshots. [26] [27]
Derusbi Derusbi is capable of performing screen captures. [10]
DOGCALL DOGCALL is capable of capturing screenshots of the victim's machine. [8] [9]
Dragonfly 2.0 Dragonfly 2.0 has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil). [96] [97]
Empire Empire is capable of capturing screenshots on Windows and macOS systems. [7]
EvilGrab EvilGrab has the capability to capture screenshots. [73]
FIN7 FIN7 captured screenshots and desktop video recordings. [98]
FinFisher FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process. [28] [29]
Flame Flame can take regular screenshots when certain applications are open that are sent to the command and control server. [72]
FruitFly FruitFly takes screenshots of the user's desktop. [37]
gh0st RAT gh0st RAT can capture the victim’s screen remotely. [48]
Group5 Malware used by Group5 is capable of watching the victim's screen. [94]
HALFBAKED HALFBAKED can obtain screenshots from the victim. [40]
Hydraq Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host. [71]
HyperBro HyperBro has the ability to take screenshots. [91]
InvisiMole InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping. [53]
Janicab Janicab captured screenshots and sent them out to a C2 server. [57] [58]
JHUHUGIT A JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image. [38] [39]
jRAT jRAT has the capability to take screenshots of the victim’s machine. [67] [68]
Kasidet Kasidet has the ability to initiate keylogging and screen captures. [31]
Kazuar Kazuar captures screenshots of the victim’s screen. [36]
KeyBoy KeyBoy has a command to perform screen grabbing. [90]
KEYMARBLE KEYMARBLE can capture screenshots of the victim’s machine. [30]
KONNI KONNI can take screenshots of the victim’s machine. [62]
MacSpy MacSpy can capture screenshots of the desktop over multiple monitors. [37]
Magic Hound Magic Hound malware can take a screenshot and upload the file to its C2 server. [99]
Matroyshka Matroyshka is capable of performing screen captures. [19] [20]
Micropsia Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API. [55]
MuddyWater MuddyWater has used malware that can capture screenshots of the victim’s machine. [95]
NETWIRE NETWIRE can capture the victim's screen. [74]
njRAT njRAT can capture screenshots of the victim’s machines. [87]
Octopus Octopus can capture screenshots of the victims’ machine. [60]
OilRig OilRig has a tool called CANDYKING to capture a screenshot of user's desktop. [92]
PlugX PlugX allows the operator to capture screenshots. [51]
POORAIM POORAIM can perform screen capturing. [8]
PowerSploit PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals. [4] [5]
POWERSTATS POWERSTATS can retrieve screenshots from compromised hosts. [32]
POWRUNER POWRUNER can capture a screenshot from a victim. [41]
Prikormka Prikormka contains a module that captures screenshots of the victim's desktop. [70]
Proton Proton captures the content of the desktop with the screencapture binary. [37]
Pteranodon Pteranodon can capture screenshots at a configurable interval. [33]
Pupy Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server. [6]
RedLeaves RedLeaves can capture screenshots. [45] [46]
Remcos Remcos takes automated screenshots of the infected machine. [3]
Remexi Remexi takes screenshots of windows of interest. [84]
Revenge RAT Revenge RAT has a plugin for screen capture. [85]
RogueRobin RogueRobin has a command named $screenshot that may be responsible for taking screenshots of the victim machine. [47]
ROKRAT ROKRAT captures screenshots of the infected system. [15] [16] [17]
Rover Rover takes screenshots of the compromised system's desktop and saves them to C:\system\screenshot.bmp for exfiltration every 60 minutes. [14]
RTM RTM can capture screenshots. [44]
SHUTTERSPEED SHUTTERSPEED can capture screenshots. [8]
Silence Silence can capture victim screen activity. [100]
Socksbot Socksbot can take screenshots. [56]
StoneDrill StoneDrill can take screenshots. [86]
T9000 T9000 can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files. [42]
TinyZBot TinyZBot contains screen capture functionality. [21]
Trojan.Karagany Trojan.Karagany can take a desktop screenshot and save the file into \ProgramData\Mail\MailAg\shot.png. [83]
TURNEDUP TURNEDUP is capable of taking screenshots. [13]
UPPERCUT UPPERCUT can capture desktop screenshots in the PNG format and send them to the C2 server. [22]
Ursnif Ursnif has used hooked APIs to take screenshots. [88] [89]
VERMIN VERMIN can perform screen captures of the victim’s machine. [61]
XAgentOSX XAgentOSX contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods. [25]
yty yty collects screenshots of the victim machine. [59]
Zebrocy A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format. [23] [79] [80] [81] [82]
Zeus Panda Zeus Panda can take screenshots of the victim’s machine. [54]
ZLib ZLib has the ability to obtain screenshots of the compromised system. [24]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.

References

  1. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
  2. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  3. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  4. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  5. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  6. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  7. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  8. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  9. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  10. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  11. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  12. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  13. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  14. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  15. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  16. Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.
  17. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  18. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  19. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  20. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  21. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  22. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  23. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  24. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  25. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  26. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  27. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  28. FinFisher. (n.d.). Retrieved December 20, 2017.
  29. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  30. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  31. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  32. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  33. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  34. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  35. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  36. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  37. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  38. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  39. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  40. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  41. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  42. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  43. Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  44. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  45. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  46. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  47. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  48. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  49. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  50. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  1. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  2. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  3. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  4. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  5. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  6. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  7. Brod. (2013, July 15). Signed Mac Malware Using Right-to-Left Override Trick. Retrieved July 17, 2017.
  8. Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
  9. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  10. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  11. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  12. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  13. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  14. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  15. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  16. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  17. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  18. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  19. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  20. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  21. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  22. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  23. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  24. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
  25. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  26. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  27. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  28. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  29. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  30. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  31. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  32. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  33. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  34. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  35. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  36. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  37. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  38. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  39. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  40. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  41. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  42. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  43. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  44. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  45. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  46. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  47. Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
  48. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  49. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  50. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.