T1113 Screen Capture Mappings

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1113 Screen Capture
azure_sentinel Azure Sentinel technique_scores T1113 Screen Capture
azure_defender_for_app_service Azure Defender for App Service technique_scores T1113 Screen Capture