Skip to content

T0852 Screen Capture

Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. 1 Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.

Item Value
ID T0852
Tactics TA0100
Platforms Human-Machine Interface
Version 1.0
Created 21 May 2020
Last Modified 09 March 2023

Procedure Examples

ID Name Description
G1000 ALLANITE ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs. 4 1
G0064 APT33 APT33 utilize backdoors capable of capturing screenshots once installed on a system. 23


ID Mitigation Description
M0816 Mitigation Limited or Not Effective Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.


ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process OS API Execution