|Platform||Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1|
|Data Sources||API monitoring, Process monitoring, File monitoring|
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.
- APT28 regularly deploys a custom tool to take regular screenshots of victims.1
- Malware used by Group5 is capable of watching the victim's screen.2
- TinyZBot contains screen capture functionality.3
- CosmicDuke takes periodic screenshots and exfiltrates them.4
- ZLib has the ability to obtain screenshots of the compromised system.5
- Kasidet has the ability to initiate keylogging and screen captures.6
- BlackEnergy is capable of taking screenshots.7
- Rover takes screenshots of the compromised system's desktop and saves them to C:\system\screenshot.bmp for exfiltration every 60 minutes.8
- Trojan.Karagany can take a desktop screenshot and save the file into \ProgramData\Mail\MailAg\shot.png.9
- T9000 can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files.10
- Prikormka contains a module that captures screenshots of the victim's desktop.11
- Crimson contains a command to perform screen captures.12
- BADNEWS has a command to take a screenshot and send it to the C2 server.13
- Flame can take regular screenshots when certain applications are open that are sent to the command and control server.14
- Pteranodon can capture screenshots at a configurable interval.15
- RTM can capture screenshots.16
Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting17 tools, like AppLocker,1819 or Software Restriction Policies20 where appropriate.21
Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
- Cylance. (2014, December). Operation Cleaver. Retrieved December 4, 2014.
- F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved February 25, 2016.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
- Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
- Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.