T1113 Microsoft Sentinel · KQL

Detect Screen Capture in Microsoft Sentinel

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen (.NET), xwd (Linux), or screencapture (macOS). Threat actors including Dragonfly, Gamaredon (Pteranodon), APT33 (TURNEDUP), Agent Tesla, and BlackEnergy have all used screen capture as part of post-compromise collection operations.

MITRE ATT&CK

Tactic
Collection
Technique
T1113 Screen Capture
Canonical reference
https://attack.mitre.org/techniques/T1113/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let ScreenshotProcesses = dynamic([
  "scrot", "xwd", "import", "gnome-screenshot", "ksnapshot", "spectacle",
  "screencapture", "psr.exe", "snippingtool.exe", "snipingtool.exe",
  "screenshot.exe", "xrandr"
]);
let ScreenshotExtensions = dynamic([".png", ".jpg", ".jpeg", ".bmp", ".gif"]);
let SuspiciousParents = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "regsvr32.exe", "rundll32.exe", "svchost.exe"
]);
// Branch 1: Known screenshot utility execution from suspicious parent or context
let ScreenshotUtilExec =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (ScreenshotProcesses)
    or ProcessCommandLine has_any ("CopyFromScreen", "GetDC", "BitBlt", "PrintWindow",
       "xwd -root", "scrot ", "screencapture ", "xrandr --screenshot")
| where InitiatingProcessFileName in~ (SuspiciousParents)
    or InitiatingProcessFileName !in~ ("explorer.exe", "userinit.exe", "svchost.exe",
       "winlogon.exe", "taskmgr.exe", "dllhost.exe")
| extend DetectionBranch = "ScreenshotUtilFromSuspiciousParent"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 2: PowerShell or scripting engine calling screenshot-related .NET APIs
let PSScreenshotAPI =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "mshta.exe")
| where ProcessCommandLine has_any (
       "CopyFromScreen", "System.Drawing.Graphics", "System.Windows.Forms.Screen",
       "Graphics.CopyFromScreen", "[Drawing.Graphics]", "PrintWindow",
       "VK_SNAPSHOT", "keybd_event", "0x2C"
  )
| extend DetectionBranch = "ScriptingEngineScreenshotAPI"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 3: Suspicious screenshot file creation in staging locations by non-UI processes
let ScreenshotFileCreation =
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\ProgramData\\",
       "\\Users\\Public\\", "/tmp/", "/var/tmp/")
| where FileName endswith_any (ScreenshotExtensions)
| where InitiatingProcessFileName !in~ (
       "explorer.exe", "chrome.exe", "firefox.exe", "msedge.exe",
       "iexplore.exe", "outlook.exe", "teams.exe", "slack.exe",
       "zoom.exe", "mspaint.exe", "photoshop.exe", "gimp.exe"
  )
| where InitiatingProcessFileName !startswith "OneDrive"
| extend DetectionBranch = "SuspiciousScreenshotFileInTempPath"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         FileName, FolderPath, InitiatingProcessFileName,
         InitiatingProcessCommandLine, DetectionBranch;
union ScreenshotUtilExec, PSScreenshotAPI, ScreenshotFileCreation
| sort by Timestamp desc
medium severity medium confidence

Detects screen capture activity via three detection branches using Microsoft Defender for Endpoint tables. Branch 1 identifies known screenshot utilities (scrot, xwd, screencapture, psr.exe, snippingtool.exe) launched from suspicious parent processes. Branch 2 detects scripting engines (PowerShell, cscript, wscript, mshta) invoking screenshot-related .NET APIs (CopyFromScreen, System.Drawing.Graphics, PrintWindow) or keyboard shortcuts (VK_SNAPSHOT). Branch 3 monitors for image files created in staging paths (Temp, ProgramData, Public) by non-UI processes, which is a pattern used by RATs staging screenshots for exfiltration.

Data Sources

Process: Process CreationFile: File CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • IT helpdesk tools (GoToAssist, TeamViewer, AnyDesk) that legitimately capture screens for remote support sessions
  • Monitoring and observability agents (DataDog, New Relic, OpsGenie) that take periodic UI screenshots for SLA verification
  • Automated UI testing frameworks (Selenium, Playwright, AutoIt) executing screenshot commands during test runs
  • User-invoked screenshot utilities (Snipping Tool, Greenshot, Lightshot) started directly by users from explorer.exe
  • Video conferencing tools (Zoom, Teams, Slack) capturing the screen for screen sharing or recording features
Download portable Sigma rule (.yml)

Other platforms for T1113

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Screen Capture via PowerShell CopyFromScreen

    Expected signal: Sysmon Event ID 1: Process Create — Image=powershell.exe, CommandLine containing 'CopyFromScreen', 'System.Drawing.Graphics', 'System.Windows.Forms.Screen'. Sysmon Event ID 11: File Create — TargetFilename=C:\Users\<user>\AppData\Local\Temp\df00tech-capture.png, Image=powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with full script content. Sysmon Event ID 7: Image Load — gdi32.dll loaded by powershell.exe.

  2. Test 2Windows Screen Capture via PSR.exe (Problem Steps Recorder)

    Expected signal: Sysmon Event ID 1: Process Create — Image=C:\Windows\System32\psr.exe, CommandLine containing '/start /output ... /sc 1 /maxsc 5'. Second Event ID 1 for the /stop invocation. Sysmon Event ID 11: File Create — TargetFilename ending in .zip in TEMP path, created by psr.exe. Security Event ID 4688 (if command line auditing enabled) for psr.exe execution.

  3. Test 3Linux Screen Capture via xwd (X Window Dump)

    Expected signal: Linux auditd syscall log: execve syscall for xwd with arguments '-root -silent -out /tmp/df00tech-capture.xwd'. File creation event in /tmp/. Syslog entry if auditd is configured with -a always,exit -F arch=b64 -S execve rule. Process accounting record for xwd execution. /var/log/auth.log may show the user context.

  4. Test 4macOS Screen Capture via screencapture Utility

    Expected signal: macOS Unified Log: log show --predicate 'process == "screencapture"' will show the invocation. Endpoint security framework (ESF) event for ES_EVENT_TYPE_NOTIFY_EXEC for screencapture. File creation event in /tmp/ for the PNG file. If Defender for Endpoint macOS agent is deployed: DeviceProcessEvents with FileName=screencapture and DeviceFileEvents for the output file.

  5. Test 5Windows VK_SNAPSHOT Keyboard Simulation Screenshot

    Expected signal: Sysmon Event ID 1: Process Create — Image=powershell.exe, CommandLine containing 'keybd_event', '0x2C', 'VK_SNAPSHOT'. PowerShell ScriptBlock Log Event ID 4104 with full P/Invoke code. Sysmon Event ID 7: Image Load — user32.dll loaded by powershell.exe. Sysmon Event ID 11: File Create for .png in TEMP if clipboard contained image data.

Last updated: 2026-04-18 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1113 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1056.001KeyloggingT1123Audio CaptureT1041Exfiltration Over C2 ChannelT1074.001Local Data StagingT1560.001Archive via UtilityT1071.001Web ProtocolsT1048Exfiltration Over Alternative ProtocolT1021.001Remote Desktop ProtocolT1543.003Windows ServiceT1547.001Registry Run Keys / Startup Folder

Same Tactic: Collection

Popular Detections