T0852 Screen Capture
Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.
|21 May 2020
|09 March 2023
|ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs.
|APT33 utilize backdoors capable of capturing screenshots once installed on a system.
|Mitigation Limited or Not Effective
|Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.