MITRE ATT&CK LAB

MITRE ATT&CK

Various tests involving methods outlined within the MITRE ATT&CK framework

MITRE ATT&CK™ Analysis - T1113 Screen Capture

1 minute read

Screen Capture

An adversary may take screen captures either to gather sensitive information or get a graphical view of what type of system they have access to. There are multiple ways this can be done from inbuilt remote access tools, to PowerShell and standalone 3rd party binaries.

Screen Capture Analysis

Lab Example

RED TEAM: ATTACK

In this example we have 3 different methods of taking a ScreenShot after compromising a system. These are PowerShell, 3rd Party Binaries, or inbuilt into our RAT.

By testing all methods we can see some subtle differences in their output.

PowerShell Solution:

# First solution by: https://stackoverflow.com/users/267411/jeremy 
# https://stackoverflow.com/questions/2969321/how-can-i-do-a-screen-capture-in-windows-powershell
# Modified solution used below by https://stackoverflow.com/users/1073358/skami

[Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing") 
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") 
function screenshot($path) 
{
    $width = 0;
    $height = 0;
    $workingAreaX = 0;
    $workingAreaY = 0;

    $screen = [System.Windows.Forms.Screen]::AllScreens;

    foreach ($item in $screen)
    {
        if($workingAreaX -gt $item.WorkingArea.X)
        {
            $workingAreaX = $item.WorkingArea.X;
        }

        if($workingAreaY -gt $item.WorkingArea.Y)
        {
            $workingAreaY = $item.WorkingArea.Y;
        }

        $width = $width + $item.Bounds.Width;

        if($item.Bounds.Height -gt $height)
        {
            $height = $item.Bounds.Height;
        }
    }

    $bounds = [Drawing.Rectangle]::FromLTRB($workingAreaX, $workingAreaY, $width, $height); 
    $bmp = New-Object Drawing.Bitmap $width, $height;
    $graphics = [Drawing.Graphics]::FromImage($bmp);

    $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size);

    $bmp.Save($path);

    $graphics.Dispose();
    $bmp.Dispose();
}

3rd Party Binary Solution:

NirSoft NirCmd

Inbuilt Solution:

Meterpreter

In practice we can go ahead and use all 3 through a single Meterpreter Shell.

T1113 - Screen Capture

The PowerShell Solution is only around 40 lines of script.

T1113 - Screen Capture

BLUE TEAM: DEFEND

From a defenders point of view there’s not a lot we can easily use to detect this. We could look for specific libraries used by 3rd party binaries, or look into specific API calls; however in practice we would largely need to use contextual data around the event or the ScreenShots themselves to confirm this has taken place.

T1113 - Screen Capture

You may also enjoy

ClearFake - Malware Analysis Lab

26 minute read

Analysis of ClearFake malware which is planted on compromised WordPress websites to convince unsuspecting visitors to download and run malware.

LummaC2 - Malware Analysis Lab

30 minute read

Analysis of a RAR file which leads to the discovery of malicious Github repositories designed to distribute malware.