Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | technique_scores | T1113 | Screen Capture |
| azure_sentinel | Azure Sentinel | technique_scores | T1113 | Screen Capture |
| azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1113 | Screen Capture |