title: Screen Capture (T1113)
id: df00tech-t1113
status: experimental
description: "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen (.NET), xwd (Linux), or screencapture (macOS). Threat actors including Dragonfly, Gamaredon (Pteranodon), APT33 (TURNEDUP), Agent Tesla, and BlackEnergy have all used screen capture as part of post-compromise collection operations."
references:
  - https://attack.mitre.org/techniques/T1113/
  - https://df00tech.com/detections/T1113
author: df00tech
date: 2026/04/18
tags:
  - attack.t1113
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT helpdesk tools (GoToAssist, TeamViewer, AnyDesk) that legitimately capture screens for remote support sessions"
  - "Monitoring and observability agents (DataDog, New Relic, OpsGenie) that take periodic UI screenshots for SLA verification"
  - "Automated UI testing frameworks (Selenium, Playwright, AutoIt) executing screenshot commands during test runs"
  - "User-invoked screenshot utilities (Snipping Tool, Greenshot, Lightshot) started directly by users from explorer.exe"
  - "Video conferencing tools (Zoom, Teams, Slack) capturing the screen for screen sharing or recording features"
level: medium