Detect Screen Capture in Sumo Logic CSE
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen (.NET), xwd (Linux), or screencapture (macOS). Threat actors including Dragonfly, Gamaredon (Pteranodon), APT33 (TURNEDUP), Agent Tesla, and BlackEnergy have all used screen capture as part of post-compromise collection operations.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1113 Screen Capture
- Canonical reference
- https://attack.mitre.org/techniques/T1113/
Sumo Detection Query
(_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/windows/sysmon)
| where EventID in ("1", "11")
| eval image_lower = toLowerCase(Image)
| eval parent_lower = toLowerCase(ParentImage)
| eval cmdline_lower = toLowerCase(CommandLine)
| eval target_lower = toLowerCase(TargetFilename)
// Branch 1: Screenshot tool detection (EventID=1)
| eval is_screenshot_tool = if(
EventID = "1" and
matches(image_lower, "scrot|xwd|gnome-screenshot|ksnapshot|spectacle|screencapture|psr\\.exe|snippingtool\\.exe|snipingtool\\.exe|screenshot\\.exe|xrandr"),
1, 0)
// Branch 2a: Scripting engine process
| eval is_script_engine = if(
EventID = "1" and
matches(image_lower, "powershell\\.exe|pwsh\\.exe|cscript\\.exe|wscript\\.exe|mshta\\.exe"),
1, 0)
// Branch 2b: Screenshot API in command line
| eval has_screenshot_api = if(
is_script_engine = 1 and
matches(cmdline_lower,
"copyfromscreen|system\\.drawing\\.graphics|system\\.windows\\.forms\\.screen|printwindow|vk_snapshot|keybd_event|0x2c"),
1, 0)
// Suspicious parent process check
| eval suspicious_parent = if(
matches(parent_lower,
"cmd\\.exe|powershell\\.exe|pwsh\\.exe|wscript\\.exe|cscript\\.exe|mshta\\.exe|regsvr32\\.exe|rundll32\\.exe"),
1, 0)
// Branch 3: Suspicious image file creation (EventID=11)
| eval is_image_ext = if(
EventID = "11" and
matches(target_lower, "\\.(png|jpg|jpeg|bmp|gif)$"),
1, 0)
| eval is_staging_path = if(
EventID = "11" and
matches(target_lower,
"\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\"),
1, 0)
| eval is_ui_process = if(
matches(image_lower,
"explorer\\.exe|chrome\\.exe|firefox\\.exe|msedge\\.exe|iexplore\\.exe|outlook\\.exe|teams\\.exe|slack\\.exe|zoom\\.exe|mspaint\\.exe|onedrive"),
1, 0)
// Assign detection branch
| eval detection_branch = if(
is_screenshot_tool = 1 and suspicious_parent = 1,
"ScreenshotUtilFromSuspiciousParent",
if(has_screenshot_api = 1,
"ScriptingEngineScreenshotAPI",
if(is_image_ext = 1 and is_staging_path = 1 and is_ui_process = 0,
"SuspiciousScreenshotFileInTempPath",
null)))
| where !isnull(detection_branch)
| eval suspicion_score = is_screenshot_tool + has_screenshot_api + suspicious_parent + is_staging_path
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, TargetFilename,
detection_branch, suspicion_score
| sort by _messageTime descDetects screen capture (T1113) in Sumo Logic using Sysmon EventID 1 (process creation) and EventID 11 (file creation). Three detection branches: screenshot utility execution from suspicious scripting parents, scripting engines (PowerShell, cscript, wscript, mshta) with command lines referencing CopyFromScreen/PrintWindow/VK_SNAPSHOT APIs, and image file creation in temp/staging directories by processes that are not common UI applications. A numeric suspicion_score is computed for analyst triage and rule-based alerting thresholds.
Data Sources
Required Tables
False Positives & Tuning
- Penetration testing or authorized red team operations using tools like Metasploit (screenshot module) or PowerShell Empire that legitimately capture screens during engagements
- Employee monitoring and workforce analytics platforms (Teramind, ActivTrak, Hubstaff) running as background services that capture periodic screenshots and write them to temp directories
- Software test automation frameworks (Ranorex, TestComplete, Katalon) that use GDI/Win32 APIs or scripting engines to capture screenshots for visual regression testing during CI/CD runs
Other platforms for T1113
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Screen Capture via PowerShell CopyFromScreen
Expected signal: Sysmon Event ID 1: Process Create — Image=powershell.exe, CommandLine containing 'CopyFromScreen', 'System.Drawing.Graphics', 'System.Windows.Forms.Screen'. Sysmon Event ID 11: File Create — TargetFilename=C:\Users\<user>\AppData\Local\Temp\df00tech-capture.png, Image=powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with full script content. Sysmon Event ID 7: Image Load — gdi32.dll loaded by powershell.exe.
- Test 2Windows Screen Capture via PSR.exe (Problem Steps Recorder)
Expected signal: Sysmon Event ID 1: Process Create — Image=C:\Windows\System32\psr.exe, CommandLine containing '/start /output ... /sc 1 /maxsc 5'. Second Event ID 1 for the /stop invocation. Sysmon Event ID 11: File Create — TargetFilename ending in .zip in TEMP path, created by psr.exe. Security Event ID 4688 (if command line auditing enabled) for psr.exe execution.
- Test 3Linux Screen Capture via xwd (X Window Dump)
Expected signal: Linux auditd syscall log: execve syscall for xwd with arguments '-root -silent -out /tmp/df00tech-capture.xwd'. File creation event in /tmp/. Syslog entry if auditd is configured with -a always,exit -F arch=b64 -S execve rule. Process accounting record for xwd execution. /var/log/auth.log may show the user context.
- Test 4macOS Screen Capture via screencapture Utility
Expected signal: macOS Unified Log: log show --predicate 'process == "screencapture"' will show the invocation. Endpoint security framework (ESF) event for ES_EVENT_TYPE_NOTIFY_EXEC for screencapture. File creation event in /tmp/ for the PNG file. If Defender for Endpoint macOS agent is deployed: DeviceProcessEvents with FileName=screencapture and DeviceFileEvents for the output file.
- Test 5Windows VK_SNAPSHOT Keyboard Simulation Screenshot
Expected signal: Sysmon Event ID 1: Process Create — Image=powershell.exe, CommandLine containing 'keybd_event', '0x2C', 'VK_SNAPSHOT'. PowerShell ScriptBlock Log Event ID 4104 with full P/Invoke code. Sysmon Event ID 7: Image Load — user32.dll loaded by powershell.exe. Sysmon Event ID 11: File Create for .png in TEMP if clipboard contained image data.
References (13)
- https://attack.mitre.org/techniques/T1113/
- https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8
- https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
- https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/
- https://unit42.paloaltonetworks.com/gamaredon-february-2022/
- https://securelist.com/griffon-the-javascript-backdoor-used-by-fin7/90515/
- https://www.talos-sec.com/blogs/agent-tesla
- https://www.us-cert.gov/ncas/alerts/TA18-074A
- https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceimageloadevents-table
Unlock Pro Content
Get the full detection package for T1113 including response playbook, investigation guide, and atomic red team tests.