MITRE ATT&CK™ Analysis - T1113 Screen Capture
Screen Capture
An adversary may take screen captures either to gather sensitive information or get a graphical view of what type of system they have access to. There are multiple ways this can be done from inbuilt remote access tools, to PowerShell and standalone 3rd party binaries.
Screen Capture Analysis
Lab Example
RED TEAM: ATTACK
In this example we have 3 different methods of taking a ScreenShot after compromising a system. These are PowerShell, 3rd Party Binaries, or inbuilt into our RAT.
By testing all methods we can see some subtle differences in their output.
PowerShell Solution:
# First solution by: https://stackoverflow.com/users/267411/jeremy
# https://stackoverflow.com/questions/2969321/how-can-i-do-a-screen-capture-in-windows-powershell
# Modified solution used below by https://stackoverflow.com/users/1073358/skami
[Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
function screenshot($path)
{
$width = 0;
$height = 0;
$workingAreaX = 0;
$workingAreaY = 0;
$screen = [System.Windows.Forms.Screen]::AllScreens;
foreach ($item in $screen)
{
if($workingAreaX -gt $item.WorkingArea.X)
{
$workingAreaX = $item.WorkingArea.X;
}
if($workingAreaY -gt $item.WorkingArea.Y)
{
$workingAreaY = $item.WorkingArea.Y;
}
$width = $width + $item.Bounds.Width;
if($item.Bounds.Height -gt $height)
{
$height = $item.Bounds.Height;
}
}
$bounds = [Drawing.Rectangle]::FromLTRB($workingAreaX, $workingAreaY, $width, $height);
$bmp = New-Object Drawing.Bitmap $width, $height;
$graphics = [Drawing.Graphics]::FromImage($bmp);
$graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size);
$bmp.Save($path);
$graphics.Dispose();
$bmp.Dispose();
}
3rd Party Binary Solution:
Inbuilt Solution:
In practice we can go ahead and use all 3 through a single Meterpreter Shell.
The PowerShell Solution is only around 40 lines of script.
BLUE TEAM: DEFEND
From a defenders point of view there’s not a lot we can easily use to detect this. We could look for specific libraries used by 3rd party binaries, or look into specific API calls; however in practice we would largely need to use contextual data around the event or the ScreenShots themselves to confirm this has taken place.