T0852 Screen Capture
Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. 1 Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.
| Item | Value |
|---|---|
| ID | T0852 |
| Sub-techniques | |
| Tactics | TA0100 |
| Platforms | Human-Machine Interface |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G1000 | ALLANITE | ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs. 4 1 |
| G0064 | APT33 | APT33 utilize backdoors capable of capturing screenshots once installed on a system. 23 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0816 | Mitigation Limited or Not Effective | Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | OS API Execution |
References
-
ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ↩↩
-
Jacqueline O’Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ↩
-
Junnosuke Yagi 2017, March 07 Trojan.Stonedrill Retrieved. 2019/12/05 ↩
-
Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020. ↩
-
Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017. ↩