T1113

Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen (.NET), xwd (Linux), or screencapture (macOS). Threat actors including Dragonfly, Gamaredon (Pteranodon), APT33 (TURNEDUP), Agent Tesla, and BlackEnergy have all used screen capture as part of post-compromise collection operations.

Microsoft Sentinel / Defender

kusto

let ScreenshotProcesses = dynamic([
  "scrot", "xwd", "import", "gnome-screenshot", "ksnapshot", "spectacle",
  "screencapture", "psr.exe", "snippingtool.exe", "snipingtool.exe",
  "screenshot.exe", "xrandr"
]);
let ScreenshotExtensions = dynamic([".png", ".jpg", ".jpeg", ".bmp", ".gif"]);
let SuspiciousParents = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "regsvr32.exe", "rundll32.exe", "svchost.exe"
]);
// Branch 1: Known screenshot utility execution from suspicious parent or context
let ScreenshotUtilExec =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ScreenshotProcesses)
    or ProcessCommandLine has_any ("CopyFromScreen", "GetDC", "BitBlt", "PrintWindow",
       "xwd -root", "scrot ", "screencapture ", "xrandr --screenshot")
| where InitiatingProcessFileName in~ (SuspiciousParents)
    or InitiatingProcessFileName !in~ ("explorer.exe", "userinit.exe", "svchost.exe",
       "winlogon.exe", "taskmgr.exe", "dllhost.exe")
| extend DetectionBranch = "ScreenshotUtilFromSuspiciousParent"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 2: PowerShell or scripting engine calling screenshot-related .NET APIs
let PSScreenshotAPI =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "mshta.exe")
| where ProcessCommandLine has_any (
       "CopyFromScreen", "System.Drawing.Graphics", "System.Windows.Forms.Screen",
       "Graphics.CopyFromScreen", "[Drawing.Graphics]", "PrintWindow",
       "VK_SNAPSHOT", "keybd_event", "0x2C"
  )
| extend DetectionBranch = "ScriptingEngineScreenshotAPI"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 3: Suspicious screenshot file creation in staging locations by non-UI processes
let ScreenshotFileCreation =
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\ProgramData\\",
       "\\Users\\Public\\", "/tmp/", "/var/tmp/")
| where FileName endswith_any (ScreenshotExtensions)
| where InitiatingProcessFileName !in~ (
       "explorer.exe", "chrome.exe", "firefox.exe", "msedge.exe",
       "iexplore.exe", "outlook.exe", "teams.exe", "slack.exe",
       "zoom.exe", "mspaint.exe", "photoshop.exe", "gimp.exe"
  )
| where InitiatingProcessFileName !startswith "OneDrive"
| extend DetectionBranch = "SuspiciousScreenshotFileInTempPath"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         FileName, FolderPath, InitiatingProcessFileName,
         InitiatingProcessCommandLine, DetectionBranch;
union ScreenshotUtilExec, PSScreenshotAPI, ScreenshotFileCreation
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation File: File Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

IT helpdesk tools (GoToAssist, TeamViewer, AnyDesk) that legitimately capture screens for remote support sessions
Monitoring and observability agents (DataDog, New Relic, OpsGenie) that take periodic UI screenshots for SLA verification
Automated UI testing frameworks (Selenium, Playwright, AutoIt) executing screenshot commands during test runs
User-invoked screenshot utilities (Snipping Tool, Greenshot, Lightshot) started directly by users from explorer.exe
Video conferencing tools (Zoom, Teams, Slack) capturing the screen for screen sharing or recording features

Splunk

spl

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | eval Image_lower=lower(Image)
  | eval ParentImage_lower=lower(ParentImage)
  | eval is_screenshot_tool=if(
      match(Image_lower, "(scrot|xwd|screencapture|psr\.exe|snippingtool\.exe|snipingtool\.exe|screenshot\.exe)"),
      1, 0
    )
  | eval is_script_engine=if(
      match(Image_lower, "(powershell\.exe|pwsh\.exe|cscript\.exe|wscript\.exe|mshta\.exe)"),
      1, 0
    )
  | eval has_screenshot_api=if(
      is_script_engine=1 AND match(lower(CommandLine),
        "(copyfromscreen|system\.drawing\.graphics|system\.windows\.forms\.screen|printwindow|vk_snapshot|keybd_event|0x2c)"),
      1, 0
    )
  | eval suspicious_parent=if(
      match(ParentImage_lower,
        "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe)"),
      1, 0
    )
  | eval detection_branch=case(
      is_screenshot_tool=1 AND suspicious_parent=1, "ScreenshotUtilFromSuspiciousParent",
      has_screenshot_api=1, "ScriptingEngineScreenshotAPI",
      true(), null()
    )
  | where isnotnull(detection_branch)
  | eval SuspicionScore=is_screenshot_tool + has_screenshot_api + suspicious_parent
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
          detection_branch, SuspicionScore
],
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  | eval TargetFilename_lower=lower(TargetFilename)
  | eval Image_lower=lower(Image)
  | eval is_image_extension=if(
      match(TargetFilename_lower, "\.(png|jpg|jpeg|bmp|gif)$"),
      1, 0
    )
  | eval is_staging_path=if(
      match(TargetFilename_lower,
        "(\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\)"),
      1, 0
    )
  | eval is_ui_process=if(
      match(Image_lower,
        "(explorer\.exe|chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|outlook\.exe|teams\.exe|slack\.exe|zoom\.exe|mspaint\.exe|onedrive\.exe|snagit\.exe)"),
      1, 0
    )
  | where is_image_extension=1 AND is_staging_path=1 AND is_ui_process=0
  | eval detection_branch="SuspiciousScreenshotFileInTempPath"
  | eval SuspicionScore=2
  | table _time, host, User, Image, TargetFilename, detection_branch, SuspicionScore
]
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT helpdesk tools (GoToAssist, TeamViewer, AnyDesk) that legitimately capture screens for remote support sessions
Monitoring and observability agents taking periodic UI screenshots for SLA verification
Automated UI testing frameworks (Selenium, Playwright, AutoIt) executing screenshot commands during test runs
User-invoked screenshot utilities started directly by users through Windows Explorer
Video conferencing tools capturing screen content for screen sharing or recording

Elastic Security (EQL)

eql

any where
(
  /* Branch 1: Known screenshot utility executed from suspicious parent */
  (
    event.category == "process" and event.type == "start" and
    (
      process.name in~ ("scrot", "xwd", "import", "gnome-screenshot", "ksnapshot", "spectacle",
        "screencapture", "psr.exe", "snippingtool.exe", "snipingtool.exe", "screenshot.exe", "xrandr") or
      process.command_line : ("*CopyFromScreen*", "*GetDC*", "*BitBlt*", "*PrintWindow*",
        "*xwd -root*", "*scrot *", "*screencapture *", "*xrandr --screenshot*")
    ) and
    (
      process.parent.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
        "mshta.exe", "regsvr32.exe", "rundll32.exe", "svchost.exe") or
      not process.parent.name in~ ("explorer.exe", "userinit.exe", "svchost.exe", "winlogon.exe",
        "taskmgr.exe", "dllhost.exe")
    )
  ) or
  /* Branch 2: Scripting engine invoking screenshot-related .NET or Win32 APIs */
  (
    event.category == "process" and event.type == "start" and
    process.name in~ ("powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "mshta.exe") and
    process.command_line : ("*CopyFromScreen*", "*System.Drawing.Graphics*",
      "*System.Windows.Forms.Screen*", "*Graphics.CopyFromScreen*", "*PrintWindow*",
      "*VK_SNAPSHOT*", "*keybd_event*", "*0x2C*")
  ) or
  /* Branch 3: Image file created in staging/temp paths by non-UI processes */
  (
    event.category == "file" and event.type == "creation" and
    file.path : ("*/tmp/*", "*/var/tmp/*", "*\\Temp\\*", "*\\AppData\\Local\\Temp\\*",
      "*\\ProgramData\\*", "*\\Users\\Public\\*") and
    (
      file.name : "*.png" or file.name : "*.jpg" or file.name : "*.jpeg" or
      file.name : "*.bmp" or file.name : "*.gif"
    ) and
    not process.name in~ ("explorer.exe", "chrome.exe", "firefox.exe", "msedge.exe",
      "iexplore.exe", "outlook.exe", "teams.exe", "slack.exe", "zoom.exe",
      "mspaint.exe", "photoshop.exe", "gimp.exe") and
    not process.name : "OneDrive*"
  )
)

medium severity medium confidence

Data Sources

Elastic Endpoint Security agent Winlogbeat with Sysmon module Auditbeat file integrity monitoring

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Legitimate screen capture or recording software (Snagit, ShareX, Greenshot, OBS) spawned from automation scripts, scheduled tasks, or CI/CD pipelines that invoke screenshot APIs or write image files to temp paths
IT remote support and RMM tools (TeamViewer, AnyDesk, ConnectWise) that capture screens for session recording and frequently launch from service or svchost parent processes
PowerShell-based UI automation or test frameworks (Pester UI tests, Selenium PowerShell wrappers) used by QA or sysadmin teams that legitimately call System.Drawing.Graphics.CopyFromScreen

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process_name,
  CASE
    WHEN LOWER("Process Name") MATCHES
        '(scrot|xwd|screencapture|psr\.exe|snippingtool\.exe|snipingtool\.exe|screenshot\.exe|xrandr)'
      AND LOWER("Parent Process Name") MATCHES
        '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe)'
    THEN 'ScreenshotUtilFromSuspiciousParent'
    WHEN LOWER("Process Name") MATCHES
        '(powershell\.exe|pwsh\.exe|cscript\.exe|wscript\.exe|mshta\.exe)'
      AND LOWER("Command") MATCHES
        '(copyfromscreen|system\.drawing\.graphics|system\.windows\.forms\.screen|printwindow|vk_snapshot|keybd_event|0x2c)'
    THEN 'ScriptingEngineScreenshotAPI'
    ELSE 'Unknown'
  END AS detection_branch
FROM events
WHERE devicetime > NOW() - 86400000
  AND LOGSOURCETYPEID IN (12, 119, 341, 352)
  AND (
    (
      LOWER("Process Name") MATCHES
        '(scrot|xwd|screencapture|psr\.exe|snippingtool\.exe|snipingtool\.exe|screenshot\.exe|xrandr)'
      AND LOWER("Parent Process Name") MATCHES
        '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe)'
    ) OR (
      LOWER("Process Name") MATCHES
        '(powershell\.exe|pwsh\.exe|cscript\.exe|wscript\.exe|mshta\.exe)'
      AND LOWER("Command") MATCHES
        '(copyfromscreen|system\.drawing\.graphics|system\.windows\.forms\.screen|printwindow|vk_snapshot|keybd_event|0x2c)'
    )
  )
ORDER BY devicetime DESC

medium severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Sysmon event log forwarding WinCollect or WinRM-based Windows Security Event Log

Required Tables

events

False Positives

Automated CI/CD pipelines that run GUI integration tests (e.g., Selenium Grid, WinAppDriver) using PowerShell wrappers that call CopyFromScreen for visual regression testing
RMM platforms (NinjaRMM, Kaseya, SolarWinds N-central) that launch built-in screenshot utilities from their agent service processes during remote support sessions
Security awareness or DLP solutions (ObserveIT, Teramind) that periodically capture employee screens for compliance monitoring, running as background services under non-explorer parents

Sumo Logic CSE

sql

(_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/windows/sysmon)
| where EventID in ("1", "11")
| eval image_lower = toLowerCase(Image)
| eval parent_lower = toLowerCase(ParentImage)
| eval cmdline_lower = toLowerCase(CommandLine)
| eval target_lower = toLowerCase(TargetFilename)
// Branch 1: Screenshot tool detection (EventID=1)
| eval is_screenshot_tool = if(
    EventID = "1" and
    matches(image_lower, "scrot|xwd|gnome-screenshot|ksnapshot|spectacle|screencapture|psr\\.exe|snippingtool\\.exe|snipingtool\\.exe|screenshot\\.exe|xrandr"),
    1, 0)
// Branch 2a: Scripting engine process
| eval is_script_engine = if(
    EventID = "1" and
    matches(image_lower, "powershell\\.exe|pwsh\\.exe|cscript\\.exe|wscript\\.exe|mshta\\.exe"),
    1, 0)
// Branch 2b: Screenshot API in command line
| eval has_screenshot_api = if(
    is_script_engine = 1 and
    matches(cmdline_lower,
      "copyfromscreen|system\\.drawing\\.graphics|system\\.windows\\.forms\\.screen|printwindow|vk_snapshot|keybd_event|0x2c"),
    1, 0)
// Suspicious parent process check
| eval suspicious_parent = if(
    matches(parent_lower,
      "cmd\\.exe|powershell\\.exe|pwsh\\.exe|wscript\\.exe|cscript\\.exe|mshta\\.exe|regsvr32\\.exe|rundll32\\.exe"),
    1, 0)
// Branch 3: Suspicious image file creation (EventID=11)
| eval is_image_ext = if(
    EventID = "11" and
    matches(target_lower, "\\.(png|jpg|jpeg|bmp|gif)$"),
    1, 0)
| eval is_staging_path = if(
    EventID = "11" and
    matches(target_lower,
      "\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\"),
    1, 0)
| eval is_ui_process = if(
    matches(image_lower,
      "explorer\\.exe|chrome\\.exe|firefox\\.exe|msedge\\.exe|iexplore\\.exe|outlook\\.exe|teams\\.exe|slack\\.exe|zoom\\.exe|mspaint\\.exe|onedrive"),
    1, 0)
// Assign detection branch
| eval detection_branch = if(
    is_screenshot_tool = 1 and suspicious_parent = 1,
    "ScreenshotUtilFromSuspiciousParent",
    if(has_screenshot_api = 1,
    "ScriptingEngineScreenshotAPI",
    if(is_image_ext = 1 and is_staging_path = 1 and is_ui_process = 0,
    "SuspiciousScreenshotFileInTempPath",
    null)))
| where !isnull(detection_branch)
| eval suspicion_score = is_screenshot_tool + has_screenshot_api + suspicious_parent + is_staging_path
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, TargetFilename,
    detection_branch, suspicion_score
| sort by _messageTime desc

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon via Sumo Logic Installed Collector Sumo Logic Endpoint Security integration

Required Tables

windows/sysmon endpoint/windows/sysmon

False Positives

Penetration testing or authorized red team operations using tools like Metasploit (screenshot module) or PowerShell Empire that legitimately capture screens during engagements
Employee monitoring and workforce analytics platforms (Teramind, ActivTrak, Hubstaff) running as background services that capture periodic screenshots and write them to temp directories
Software test automation frameworks (Ranorex, TestComplete, Katalon) that use GDI/Win32 APIs or scripting engines to capture screenshots for visual regression testing during CI/CD runs

Google Chronicle / SecOps

yaral

rule t1113_screen_capture_process {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MITRE ATT&CK T1113 screen capture via known utilities from suspicious parents or scripting engines using screenshot APIs"
    mitre_attack_technique = "T1113"
    mitre_attack_tactic = "Collection"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      // Branch 1: Known screenshot tool launched from suspicious scripting parent
      (
        (
          re.regex($e.target.process.file.full_path,
            `(?i)(scrot|xwd|gnome-screenshot|ksnapshot|spectacle|screencapture|psr\.exe|snippingtool\.exe|snipingtool\.exe|screenshot\.exe|xrandr)`) or
          re.regex($e.target.process.command_line,
            `(?i)(CopyFromScreen|GetDC|BitBlt|PrintWindow|xwd\s+-root|scrot\s+|screencapture\s+|xrandr\s+--screenshot)`)
        ) and
        re.regex($e.principal.process.file.full_path,
          `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|svchost\.exe)`)
      ) or
      // Branch 2: Scripting engine invoking screenshot .NET or Win32 APIs
      (
        re.regex($e.target.process.file.full_path,
          `(?i)(powershell\.exe|pwsh\.exe|cscript\.exe|wscript\.exe|mshta\.exe)`) and
        re.regex($e.target.process.command_line,
          `(?i)(CopyFromScreen|System\.Drawing\.Graphics|System\.Windows\.Forms\.Screen|Graphics\.CopyFromScreen|PrintWindow|VK_SNAPSHOT|keybd_event|0x2C)`)
      )
    )

  condition:
    $e
}

rule t1113_screen_capture_file_staging {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious image file creation in temp/staging paths by non-UI processes, indicating screenshot staging for exfiltration (T1113)"
    mitre_attack_technique = "T1113"
    mitre_attack_tactic = "Collection"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    re.regex($e.target.file.full_path, `(?i)\.(png|jpg|jpeg|bmp|gif)$`)
    re.regex($e.target.file.full_path,
      `(?i)(\\Temp\\|\\AppData\\Local\\Temp\\|\\ProgramData\\|\\Users\\Public\\|/tmp/|/var/tmp/)`)
    not re.regex($e.principal.process.file.full_path,
      `(?i)(explorer\.exe|chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|outlook\.exe|teams\.exe|slack\.exe|zoom\.exe|mspaint\.exe|photoshop\.exe|gimp\.exe|OneDrive)`)

  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle Security Operations Windows endpoint logs via Chronicle forwarder agent EDR telemetry normalized to Chronicle UDM

Required Tables

UDM events with event_type PROCESS_LAUNCH UDM events with event_type FILE_CREATION

False Positives

Authorized red team or penetration testing tooling (Cobalt Strike screenshot beacon, Metasploit screengrab module) during sanctioned engagements that will trigger the scripting engine API branch
Enterprise screen recording or video conferencing software (Zoom local recording, Microsoft Teams background blur) that creates intermediate image frames in temp directories during meetings
Batch image processing or document conversion pipelines (ImageMagick, LibreOffice headless) that write PNG/JPEG output to /tmp or %TEMP% as part of standard document rendering workflows

CrowdStrike LogScale (CQL)

cql

// Branches 1 & 2: Screenshot utility or scripting engine API usage via process events
#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| eval FileName_lower = lower(FileName)
| eval ParentBaseFileName_lower = lower(ParentBaseFileName)
| eval CommandLine_lower = lower(CommandLine)
| eval is_screenshot_tool = if(
    FileName_lower = /scrot|xwd|gnome-screenshot|ksnapshot|spectacle|screencapture|psr\.exe|snippingtool\.exe|snipingtool\.exe|screenshot\.exe|xrandr/,
    1, 0)
| eval is_script_engine = if(
    FileName_lower = /powershell\.exe|pwsh\.exe|cscript\.exe|wscript\.exe|mshta\.exe/,
    1, 0)
| eval has_screenshot_api = if(
    is_script_engine = 1 and CommandLine_lower = /copyfromscreen|system\.drawing\.graphics|system\.windows\.forms\.screen|printwindow|vk_snapshot|keybd_event|0x2c/,
    1, 0)
| eval suspicious_parent = if(
    ParentBaseFileName_lower = /cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe/,
    1, 0)
| eval DetectionBranch = case(
    is_screenshot_tool = 1 and suspicious_parent = 1,
      "ScreenshotUtilFromSuspiciousParent",
    has_screenshot_api = 1,
      "ScriptingEngineScreenshotAPI",
    true(),
      null())
| where DetectionBranch != null
| eval SuspicionScore = is_screenshot_tool + has_screenshot_api + suspicious_parent
| select([
    @timestamp, ComputerName, UserName, UserSid, FileName, CommandLine,
    ParentBaseFileName, ParentCommandLine, DetectionBranch, SuspicionScore])
| sort(field=@timestamp, order=desc)

medium severity medium confidence

Data Sources

CrowdStrike Falcon EDR sensor CrowdStrike Falcon LogScale (formerly Humio)

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

IT administrators or sysadmins running ad-hoc PowerShell scripts that use System.Drawing.Graphics.CopyFromScreen for automated UI documentation, report generation, or help desk tooling in managed enterprise environments
Security testing and vulnerability assessment tools (Nessus credentialed scans, Qualys agent, custom DAST tooling) that spawn screenshot utilities from their service processes during host assessment tasks
Help desk and ITSM self-service portals with screen capture integrations (ServiceNow agent, Jira Service Management desktop connector) that invoke screenshotting from background service parent processes to attach evidence to tickets

Last updated: 2026-04-18 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1113 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Screen Capture

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Collection

Popular Detections