MITRE ATT&CK: Screen capture
Introduction
There is an old saying that goes “a picture is worth a thousand words.” In many ways, this saying is true: you can learn a great deal about a person or situation if you have a picture that captures an accurate view of things. Attackers and malicious hackers must know this saying well, because many attack campaigns in recent years have fully integrated screen capture capabilities into their campaign operations.
MITRE ATT&CK has included screen capture in its attack matrix. This article will detail this attack technique, including what the MITRE ATT&CK matrix is, the dangers of system feature abuse, how various attack campaigns have used screen capture and tips for the mitigation and detection for a screen capture attack.
FREE role-guided training plans
What is MITRE ATT&CK?
MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.
To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use.
More information on the MITRE ATT&CK matrix can be found here.
Dangers of abuse of system features
Before we discuss the screen capture attack technique in any detail, we first have to discuss what makes it so dangerous. This attack technique is considered an “abuse of system features” technique. What this means is that the attacker or malicious hacker is leveraging the inherent features of the compromised system against itself. It is sort of like jujitsu or judo, where the opponent’s inherent quality (weight, lack of balance, haphazard forward momentum and so on) is used against the opponent.
Unfortunately for compromised user systems, there is no counter-move to screen capture in most cases.
A little about screen capture
Another old saying, typically said by someone not wanting to be watched, goes “take a picture, it’ll last longer.” Attackers and malicious hackers know this well, and screen capture is the attacker’s way of making good on it.
Screen capture as an attack method takes a screenshot of the compromised system’s desktop during an attack operation in order to gather information about the user’s system. Points of interest for attackers include any sensitive information displayed, including banking information, login credentials stored without security measures (on a notepad, Word doc and so on) and can even extend to running processes.
Screen capture may capture a one-time screenshot, or it may take screenshots at regular intervals. Either way it is used, the screen capture attack technique can be an invaluable source of information during an attack campaign, and attackers know it.
Sometimes the screen capture functionality that’s used stems from the remote access tool used in the respective post-compromise operation. This diversity of behavior and function in the screen capture technique adds to the difficulty in both mitigation and remedy of the attack technique, which will be explored later.
Real-world use of screen capture in attack campaigns
A notable characteristic of the screen capture attack technique is that has been used in different ways, to the point of there not being a necessarily common example of a screen capture attack. The best way to study this technique is to examine some different examples of its real-world use.
Agent Tesla
Agent Tesla is a spyware Trojan. This example epitomizes the most basic use of screen capture. Simply put, this Trojan takes screenshots of the compromised system’s desktop. This relatively new threat has been around since 2018.
Biscuit
Biscuit is a backdoor tool that has been used by attackers and hackers since about 2007. This backdoor offers a command that takes periodic screenshots of the compromised system. This keeps offers a more accurate picture of the compromised system than a one-time screenshot.
Gh0st RAT
Gh0st RAT is a remote access tool (RAT) that offers the capability to remotely capture the compromised system’s screen. This tool has been around since sometime in 2013 and is used by multiple attack groups operating today. The source code is public.
MacSpy
Offered as malware-as-a-service, MacSpy is a Dark Web-based threat that afflicts macOS. MacSpy extends functionality that can screenshot a compromised system’s desktop on multiple monitors.
Pupy
This remote administration tool is open-source and afflicts Windows, OSX, Linux and Android system (cross-platform). It uses a mouse logger to take screenshots around where clicks occur and sends them back to its C2 server. This method is particularly malicious as it could potentially reveal the compromised user’s intent while using their system.
Mitigation
The biggest problem with mitigating screen capture is that it is an abuse of system features. Techniques that abuse system features cannot easily be mitigated because it makes an exploitable vulnerability out of a minor oversight of the OS manufacturer.
Detection
Detection of screen capture is possible, but it depends on the method that the attackers use as the different screen capture methods are mostly tool- (or delivery method) specific. A solid recommendation for detecting some basic screen capture methods that save a screenshot to the compromised system is to monitor for image files written to disk.
Conclusion
Screen capture is an attack technique that allows the attacker to take screenshots of a compromised system’s desktop, where users click, running processes and more. It can be a rich source of information during and after an attack campaign and can even reveal user intent.
The worst characteristic of this technique is that it revolves around abuse of a system feature which makes mitigation difficult. For more information about screen capture, its entry in the MITRE ATT&CK matrix can be found here.
FREE role-guided training plans
Sources
- Screen Capture, MITRE
- Agent Tesla, MITRE
- Decoding network data from a Gh0st RAT variant, NCC Group
- MacSpy: OS X Mac RAT as a Service, AlienVault
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- MITRE ATT&CK: Screen capture
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness