DET0346 Detect Screen Capture via Commands and API Calls
| Item |
Value |
| ID |
DET0346 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1113 (Screen Capture)
Analytics
Windows
AN0980
Unusual use of screen capture APIs (e.g., CopyFromScreen) or command-line tools to write image files to disk.
Log Sources
Mutable Elements
| Field |
Description |
| ParentProcessName |
Depends on allowed parent process behaviors in the environment (e.g., explorer.exe vs powershell.exe) |
| TimeWindow |
Can tune alert thresholds for rapid or scheduled screenshots (e.g., interval-based screen capture) |
| ImageExtension |
To detect file writes (e.g., .bmp, .png) that deviate from typical user activity |
macOS
AN0981
Invocation of built-in commands like screencapture or use of undocumented APIs from suspicious parent processes.
Log Sources
Mutable Elements
| Field |
Description |
| CommandLineRegex |
Customize regex for flag detection (e.g., screencapture -x) based on usage patterns |
| ParentProcessName |
May vary depending on expected screencapture behavior (Terminal vs remote agent) |
Linux
AN0982
Use of tools like xwd or import to generate screenshots, especially under non-GUI parent processes.
Log Sources
Mutable Elements
| Field |
Description |
| TerminalSession |
Filter based on TTY sessions or remote terminal usage |
| ExecutablePath |
Match against known location of xwd/import binaries or renamed variants |