MITRE ATT&CK: Screen capture
There is an old saying that goes “a picture is worth a thousand words.” In many ways, this saying is true: you can learn a great deal about a person or situation if you have a picture that captures an accurate view of things. Attackers and malicious hackers must know this saying well, because many attack campaigns in recent years have fully integrated screen capture capabilities into their campaign operations.
MITRE ATT&CK has included screen capture in its attack matrix. This article will detail this attack technique, including what the MITRE ATT&CK matrix is, the dangers of system feature abuse, how various attack campaigns have used screen capture and tips for the mitigation and detection for a screen capture attack.
What is MITRE ATT&CK?
MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.
To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use.
More information on the MITRE ATT&CK matrix can be found here.
Dangers of abuse of system features
Before we discuss the screen capture attack technique in any detail, we first have to discuss what makes it so dangerous. This attack technique is considered an “abuse of system features” technique. What this means is that the attacker or malicious hacker is leveraging the inherent features of the compromised system against itself. It is sort of like jujitsu or judo, where the opponent’s inherent quality (weight, lack of balance, haphazard forward momentum and so on) is used against the opponent.
Unfortunately for compromised user systems, there is no counter-move to screen capture in most cases.
A little about screen capture
Another old saying, typically said by someone not wanting to be watched, goes “take a picture, it’ll last longer.” Attackers and malicious hackers know this well, and screen capture is the attacker’s way of making good on it.
Screen capture as an attack method takes a screenshot of the compromised system’s desktop during an attack operation in order to gather information about the user’s system. Points of interest for attackers include any sensitive information displayed, including banking information, login credentials stored without security measures (on a notepad, Word doc and so on) and can even extend to running processes.
Screen capture may capture a one-time screenshot, or it may take screenshots at regular intervals. Either way it is used, the screen capture attack technique can be an invaluable source of information during an attack campaign, and attackers know it.
Sometimes the screen capture functionality that’s used stems from the remote access tool used in the respective post-compromise operation. This diversity of behavior and function in the screen capture technique adds to the difficulty in both mitigation and remedy of the attack technique, which will be explored later.
Real-world use of screen capture in attack campaigns
A notable characteristic of the screen capture attack technique is that has been used in different ways, to the point of there not being a necessarily common example of a screen capture attack. The best way to study this technique is to examine some different examples of its real-world use.
Agent Tesla is a spyware Trojan. This example epitomizes the most basic use of screen capture. Simply put, this Trojan takes screenshots of the compromised system’s desktop. This relatively new threat has been around since 2018.
Biscuit is a backdoor tool that has been used by attackers and hackers since about 2007. This backdoor offers a command that takes periodic screenshots of the compromised system. This keeps offers a more accurate picture of the compromised system than a one-time screenshot.
Gh0st RAT is a remote access tool (RAT) that offers the capability to remotely capture the compromised system’s screen. This tool has been around since sometime in 2013 and is used by multiple attack groups operating today. The source code is public.
Offered as malware-as-a-service, MacSpy is a Dark Web-based threat that afflicts macOS. MacSpy extends functionality that can screenshot a compromised system’s desktop on multiple monitors.
This remote administration tool is open-source and afflicts Windows, OSX, Linux and Android system (cross-platform). It uses a mouse logger to take screenshots around where clicks occur and sends them back to its C2 server. This method is particularly malicious as it could potentially reveal the compromised user’s intent while using their system.
The biggest problem with mitigating screen capture is that it is an abuse of system features. Techniques that abuse system features cannot easily be mitigated because it makes an exploitable vulnerability out of a minor oversight of the OS manufacturer.
Detection of screen capture is possible, but it depends on the method that the attackers use as the different screen capture methods are mostly tool- (or delivery method) specific. A solid recommendation for detecting some basic screen capture methods that save a screenshot to the compromised system is to monitor for image files written to disk.
Screen capture is an attack technique that allows the attacker to take screenshots of a compromised system’s desktop, where users click, running processes and more. It can be a rich source of information during and after an attack campaign and can even reveal user intent.
The worst characteristic of this technique is that it revolves around abuse of a system feature which makes mitigation difficult. For more information about screen capture, its entry in the MITRE ATT&CK matrix can be found here.