T1113.md

T1113 - Screen Capture

Description from ATT&CK

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.

Mac

On OSX, the native command screencapture is used to capture screenshots.

Linux

On Linux, there is the native command xwd. (Citation: Antiquated Mac Malware)

Atomic Tests

• Atomic Test #1 - Screencapture

• Atomic Test #2 - Screencapture (silent)

• Atomic Test #3 - X Windows Capture

• Atomic Test #4 - Import

Atomic Test #1 - Screencapture

Use screencapture command to collect a full desktop screenshot

Supported Platforms: macOS

Inputs

Name	Description	Type	Default Value
output_file	Output file path	Path	desktop.png

Run it with bash!

screencapture

Atomic Test #2 - Screencapture (silent)

Use screencapture command to collect a full desktop screenshot

Supported Platforms: macOS

Inputs

Name	Description	Type	Default Value
output_file	Output file path	Path	desktop.png

Run it with bash!

screencapture -x

Atomic Test #3 - X Windows Capture

Use xwd command to collect a full desktop screenshot and review file with xwud

Supported Platforms: Linux

Inputs

Name	Description	Type	Default Value
output_file	Output file path	Path	desktop.xwd

Run it with bash!

xwd -root -out #{output_file}
xwud -in #{output_file}

Atomic Test #4 - Import

Use import command to collect a full desktop screenshot

Supported Platforms: Linux

Inputs

Name	Description	Type	Default Value
output_file	Output file path	Path	desktop.png

Run it with bash!

import -window root