Try it using Invoke-Atomic

Screen Capture

Description from ATT&CK

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

Atomic Tests

Atomic Test #1 - Screencapture

Use screencapture command to collect a full desktop screenshot

Supported Platforms: macos

auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac

Inputs:

Name Description Type Default Value
output_file Output file path path /tmp/T1113_desktop.png

Attack Commands: Run with bash!

1
screencapture #{output_file}

Cleanup Commands:

1
rm #{output_file}

Atomic Test #2 - Screencapture (silent)

Use screencapture command to collect a full desktop screenshot

Supported Platforms: macos

auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4

Inputs:

Name Description Type Default Value
output_file Output file path path /tmp/T1113_desktop.png

Attack Commands: Run with bash!

1
screencapture -x #{output_file}

Cleanup Commands:

1
rm #{output_file}

Atomic Test #3 - X Windows Capture

Use xwd command to collect a full desktop screenshot and review file with xwud

Supported Platforms: linux

auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac

Inputs:

Name Description Type Default Value
output_file Output file path path /tmp/T1113_desktop.xwd
package_checker Package checking command for linux. Debian system command- dpkg -s x11-apps string rpm -q xorg-x11-apps
package_installer Package installer command for linux. Debian system command- apt-get install x11-apps string yum install -y xorg-x11-apps

Attack Commands: Run with bash!

1
2
xwd -root -out #{output_file}
xwud -in #{output_file}

Cleanup Commands:

1
rm #{output_file}

Dependencies: Run with bash!

Description: Package with XWD and XWUD must exist on device

Check Prereq Commands:

1
if #{package_checker} > /dev/null; then exit 0; else exit 1; fi

Get Prereq Commands:

1
sudo #{package_installer}

Atomic Test #4 - X Windows Capture (freebsd)

Use xwd command to collect a full desktop screenshot and review file with xwud

Supported Platforms: linux

auto_generated_guid: 562f3bc2-74e8-46c5-95c7-0e01f9ccc65c

Inputs:

Name Description Type Default Value
output_file Output file path path /tmp/T1113_desktop.xwd

Attack Commands: Run with sh!

1
2
xwd -root -out #{output_file}
xwud -in #{output_file}

Cleanup Commands:

1
rm #{output_file}

Dependencies: Run with sh!

Description: Package with XWD and XWUD must exist on device

Check Prereq Commands:

1
2
if [ -x "$(command -v xwd)" ]; then exit 0; else exit 1; fi
if [ -x "$(command -v xwud)" ]; then exit 0; else exit 1; fi

Get Prereq Commands:

1
pkg install -y xwd xwud

Atomic Test #5 - Capture Linux Desktop using Import Tool

Use import command from ImageMagick to collect a full desktop screenshot

Supported Platforms: linux

auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1

Inputs:

Name Description Type Default Value
output_file Output file path path /tmp/T1113_desktop.png

Attack Commands: Run with bash!

1
import -window root #{output_file}

Cleanup Commands:

1
rm #{output_file}

Dependencies: Run with bash!

Description: ImageMagick must be installed

Check Prereq Commands:

1
if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi

Get Prereq Commands:

1
sudo apt install graphicsmagick-imagemagick-compat

Atomic Test #6 - Capture Linux Desktop using Import Tool (freebsd)

Use import command from ImageMagick to collect a full desktop screenshot

Supported Platforms: linux

auto_generated_guid: 18397d87-38aa-4443-a098-8a48a8ca5d8d

Inputs:

Name Description Type Default Value
output_file Output file path path /tmp/T1113_desktop.png

Attack Commands: Run with sh!

1
import -window root #{output_file}

Cleanup Commands:

1
rm #{output_file}

Dependencies: Run with sh!

Description: ImageMagick must be installed

Check Prereq Commands:

1
if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi

Get Prereq Commands:

1
pkg install -y ImageMagick7

Atomic Test #7 - Windows Screencapture

Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour

Supported Platforms: windows

auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153

Inputs:

Name Description Type Default Value
output_file Output file path path c:\temp\T1113_desktop.zip
recording_time Time to take screenshots integer 5

Attack Commands: Run with powershell!

1
2
3
4
cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"

Cleanup Commands:

1
rm #{output_file} -ErrorAction Ignore

Atomic Test #8 - Windows Screen Capture (CopyFromScreen)

Take a screen capture of the desktop through a call to the Graphics.CopyFromScreen .NET API.

Supported Platforms: windows

auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187

Inputs:

Name Description Type Default Value
output_file Path where captured results will be placed path $env:TEMP\T1113.png

Attack Commands: Run with powershell!

1
2
3
4
5
6
Add-Type -AssemblyName System.Windows.Forms
$screen = [Windows.Forms.SystemInformation]::VirtualScreen
$bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height
$graphic = [Drawing.Graphics]::FromImage($bitmap)
$graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)
$bitmap.Save("#{output_file}")

Cleanup Commands:

1
Remove-Item #{output_file} -ErrorAction Ignore

Atomic Test #9 - Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

  • https://learn.microsoft.com/en-us/windows/client-management/manage-recall
  • https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis

Supported Platforms: windows

auto_generated_guid: 5a496325-0115-4274-8eb9-755b649ad0fb

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f
reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /f

Cleanup Commands:

1
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 1 /f

source