Description
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
Platforms
Threat Groups (19)
| ID | Group | Context |
|---|---|---|
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has captured screen content during an active Zoom session.(Citation: FBI IC3 Flash VOID MANTIC... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has performed screen captures of victims, including by using a tool, scr.exe (which matched the has... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has used a tool to capture screenshots.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation:... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047)'s malware can take screenshots of the compromised computer every minute.(Citation: ESET Gamar... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has a tool called CANDYKING to capture a screenshot of user's desktop.(Citation: FireEye APT34 Webinar... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used tools to take screenshots from victims.(Citation: ESET Sednit Part 2)(Citation: XAgentOSX 2017... |
| G1019 | MoustachedBouncer | [MoustachedBouncer](https://attack.mitre.org/groups/G1019) has used plugins to take screenshots on targeted systems.(Citation: MoustachedBouncer ESET ... |
| G0115 | GOLD SOUTHFIELD | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has used the remote monitoring and management tool ConnectWise to obtain screen captures from... |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has used malware, such as GHAMBAR and POWERPOST, to take screenshots.(Citation: Mandiant APT42-charms) |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware can take a screenshot and upload the file to its C2 server.(Citation: Unit 42 Magic Hound... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that can capture screenshots of the victim’s machine.(Citation: Securelist MuddyW... |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) delivered PowerShell scripts capable of taking screenshots of victim machines.(Citation: CERT-U... |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) can capture victim screen activity.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has obtained a screenshot of the victim's system using the gdi32.dll and gdiplus.dll libraries.(... |
| G0043 | Group5 | Malware used by [Group5](https://attack.mitre.org/groups/G0043) is capable of watching the victim's screen.(Citation: Citizen Lab Group5) |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used a screen capture utility to take screenshots on a compromised host.(Citation: Symantec Chafer ... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has captured browser screenshots using [TRANSLATEXT](https://attack.mitre.org/software/S1201).(Citati... |
| G0070 | Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070) took screenshots using their Windows malware.(Citation: Lookout Dark Caracal Jan 2018) |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) captured screenshots and desktop video recordings.(Citation: DOJ FIN7 Aug 2018) |
Associated Software (151)
| ID | Name | Type | Context |
|---|---|---|---|
| S9031 | AshTag | Malware | The [AshTag](https://attack.mitre.org/software/S9031) AshenOrchestrator component has the ability to take screenshots.(Citation: Palo Alto Ashen Lepus... |
| S0147 | Pteranodon | Malware | [Pteranodon](https://attack.mitre.org/software/S0147) can capture screenshots at a configurable interval.(Citation: Palo Alto Gamaredon Feb 2017)(Cita... |
| S0417 | GRIFFON | Malware | [GRIFFON](https://attack.mitre.org/software/S0417) has used a screenshot module that can be used to take a screenshot of the remote system.(Citation: ... |
| S0044 | JHUHUGIT | Malware | A [JHUHUGIT](https://attack.mitre.org/software/S0044) variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSH... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) can capture screenshots of the victim’s desktop.(Citation: Talos Agent Tesla Oct 2018)(Citation... |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can drop a mouse-logger that will take small screenshots around at each click and then send back to th... |
| S0199 | TURNEDUP | Malware | [TURNEDUP](https://attack.mitre.org/software/S0199) is capable of taking screenshots.(Citation: FireEye APT33 Sept 2017) |
| S0094 | Trojan.Karagany | Malware | [Trojan.Karagany](https://attack.mitre.org/software/S0094) can take a desktop screenshot and save the file into <code>\ProgramData\Mail\MailAg\shot.pn... |
| S0182 | FinFisher | Malware | [FinFisher](https://attack.mitre.org/software/S0182) takes a screenshot of the screen and displays it on top of all other windows for few seconds in a... |
| S1207 | XLoader | Malware | [XLoader](https://attack.mitre.org/software/S1207) can capture screenshots on compromised hosts.(Citation: Google XLoader 2017)(Citation: Netskope XLo... |
| S0338 | Cobian RAT | Malware | [Cobian RAT](https://attack.mitre.org/software/S0338) has a feature to perform screen capture.(Citation: Zscaler Cobian Aug 2017) |
| S0128 | BADNEWS | Malware | [BADNEWS](https://attack.mitre.org/software/S0128) has a command to take a screenshot and send it to the C2 server.(Citation: Forcepoint Monsoon)(Cita... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) can take screenshots every 30 seconds as well as when an external removable storage device is connec... |
| S0089 | BlackEnergy | Malware | [BlackEnergy](https://attack.mitre.org/software/S0089) is capable of taking screenshots.(Citation: Securelist BlackEnergy Nov 2014) |
| S1196 | Troll Stealer | Malware | [Troll Stealer](https://attack.mitre.org/software/S1196) can capture screenshots from victim machines.(Citation: S2W Troll Stealer 2024)(Citation: Sym... |
| S0030 | Carbanak | Malware | [Carbanak](https://attack.mitre.org/software/S0030) performs desktop video recording and captures screenshots of the desktop and sends it to the C2 se... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has conducted screen capturing.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 202... |
| S0644 | ObliqueRAT | Malware | [ObliqueRAT](https://attack.mitre.org/software/S0644) can capture a screenshot of the current screen.(Citation: Talos Oblique RAT March 2021) |
| S0660 | Clambling | Malware | [Clambling](https://attack.mitre.org/software/S0660) has the ability to capture screenshots.(Citation: Trend Micro DRBControl February 2020) |
| S1213 | Lumma Stealer | Malware | [Lumma Stealer](https://attack.mitre.org/software/S1213) has taken screenshots of victim machines.(Citation: Cybereason LumaStealer Undated) |
References
- Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.
- Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
Frequently Asked Questions
What is T1113 (Screen Capture)?
T1113 is a MITRE ATT&CK technique named 'Screen Capture'. It belongs to the Collection tactic(s). Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access too...
How can T1113 be detected?
Detection of T1113 (Screen Capture) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1113?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1113?
Known threat groups using T1113 include: VOID MANTICORE, Dragonfly, BRONZE BUTLER, Gamaredon Group, OilRig, APT28, MoustachedBouncer, GOLD SOUTHFIELD.