|
1 | | -# Triage Guide: Screen Capture Utility Execution |
| 1 | +# Suspicious Screen Capture Utility Execution Triage Guide |
2 | 2 |
|
3 | | -## Detection Title |
4 | | -Screen Capture Utility Execution |
| 3 | +## Rule Overview |
5 | 4 |
|
6 | | -## Detection ID |
7 | | -SENT-COLL-0003 |
| 5 | +**Title:** Suspicious Screen Capture Utility Execution |
| 6 | +**Rule ID:** SENT-COLL-0003 |
| 7 | +**Severity:** Medium |
| 8 | +**Risk Score:** 56 |
| 9 | +**Tactic:** Collection |
| 10 | +**Technique:** T1113 - Screen Capture |
| 11 | +**Platform:** Microsoft Sentinel |
| 12 | +**Data Source:** DeviceProcessEvents |
| 13 | +**Lifecycle:** Experimental |
8 | 14 |
|
9 | | -## Objective |
| 15 | +## Purpose |
10 | 16 |
|
11 | | -This detection identifies execution of screenshot or screen-capture tools that may be used to collect visible user-session data, application contents, or on-screen credentials. |
| 17 | +This detection identifies screen capture utilities or scripted screenshot behavior that may indicate collection of user session data. |
12 | 18 |
|
13 | | -## Why It Matters |
| 19 | +This matters because attackers may capture screenshots to collect: |
14 | 20 |
|
15 | | -Screen capture can be used to collect: |
16 | | -- user session details |
17 | | -- visible documents |
18 | | -- internal dashboards |
19 | | -- chat contents |
20 | | -- credentials or MFA prompts displayed on screen |
| 21 | +- Credentials displayed on screen |
| 22 | +- MFA prompts or codes |
| 23 | +- Sensitive internal documents |
| 24 | +- Remote session activity |
| 25 | +- User workflows and visible data |
21 | 26 |
|
22 | | -This behavior is not always malicious, but it becomes more significant when tied to remote access, credential theft, or exfiltration activity. |
| 27 | +## Detection Logic Summary |
23 | 28 |
|
24 | | -## Alert Logic Summary |
| 29 | +The rule looks for known screen capture utilities such as: |
25 | 30 |
|
26 | | -The rule looks for execution of: |
27 | | -- `snippingtool.exe` |
28 | 31 | - `psr.exe` |
29 | 32 | - `nircmd.exe` |
| 33 | +- `snippingtool.exe` |
| 34 | +- `snipaste.exe` |
| 35 | + |
| 36 | +It also looks for command lines containing: |
30 | 37 |
|
31 | | -or command lines containing: |
32 | 38 | - `screenshot` |
33 | 39 | - `capturedesktop` |
| 40 | +- `saveimage` |
34 | 41 | - `screen capture` |
35 | 42 |
|
| 43 | +The rule increases suspicion when: |
| 44 | + |
| 45 | +- `nircmd.exe` or `snipaste.exe` are used |
| 46 | +- the command line indicates explicit screenshot behavior |
| 47 | +- the initiating process is a script host or LOLBin such as: |
| 48 | + - `powershell.exe` |
| 49 | + - `pwsh.exe` |
| 50 | + - `cmd.exe` |
| 51 | + - `wscript.exe` |
| 52 | + - `cscript.exe` |
| 53 | + - `mshta.exe` |
| 54 | + |
| 55 | +The alert triggers when the suspicion score is 2 or greater. |
| 56 | + |
| 57 | +## Likely Analyst Goal |
| 58 | + |
| 59 | +Determine whether the screen capture behavior was: |
| 60 | + |
| 61 | +- Normal user activity |
| 62 | +- Help desk, documentation, or training activity |
| 63 | +- Approved support tooling |
| 64 | +- Suspicious collection of screen content |
| 65 | + |
36 | 66 | ## Initial Triage Questions |
37 | 67 |
|
38 | | -- Was the host being used for support or documentation? |
39 | | -- Is the user known to take screenshots as part of their role? |
40 | | -- Was the tool launched interactively or by script? |
41 | | -- Were image files written to disk? |
42 | | -- Was there follow-on staging or exfiltration behavior? |
| 68 | +1. Which utility executed? |
| 69 | +2. Was the screenshot action interactive or scripted? |
| 70 | +3. Is screen capture normal for the user and host? |
| 71 | +4. Were image files saved to suspicious locations? |
| 72 | +5. Did exfiltration, clipboard access, or archiving follow? |
| 73 | + |
| 74 | +--- |
43 | 75 |
|
44 | 76 | ## Investigation Steps |
45 | 77 |
|
46 | | -1. Review the executing process and command line. |
47 | | -2. Identify the user and session context. |
48 | | -3. Determine whether the host was under support, training, or documentation activity. |
49 | | -4. Review whether image or capture files were created and where. |
50 | | -5. Check for related suspicious activity: |
51 | | - - remote access tools |
52 | | - - credential access |
53 | | - - archive creation |
54 | | - - outbound transfer |
55 | | -6. Determine whether the tool is approved and expected in the environment. |
| 78 | +### 1. Review the Process and Command Line |
| 79 | + |
| 80 | +Inspect: |
| 81 | + |
| 82 | +- `FileName` |
| 83 | +- `ProcessCommandLine` |
| 84 | +- `InitiatingProcessFileName` |
| 85 | +- `InitiatingProcessCommandLine` |
| 86 | +- `AccountName` |
| 87 | + |
| 88 | +Determine whether the activity involved: |
| 89 | + |
| 90 | +- Built-in screenshot tooling |
| 91 | +- Third-party capture utilities |
| 92 | +- Explicit scripting of screenshot behavior |
| 93 | + |
| 94 | +**Why this matters:** |
| 95 | +Scripted or automated screenshot behavior is generally more suspicious than ad hoc user screenshots. |
| 96 | + |
| 97 | +--- |
| 98 | + |
| 99 | +### 2. Determine Whether the Activity Was Interactive or Scripted |
| 100 | + |
| 101 | +Look for: |
| 102 | + |
| 103 | +- Script hosts or LOLBins as parent processes |
| 104 | +- Silent capture options |
| 105 | +- Save paths in command lines |
| 106 | +- Repeated or automated screenshot execution |
| 107 | + |
| 108 | +**Why this matters:** |
| 109 | +Automated screen capture may indicate malware collecting visible session content. |
| 110 | + |
| 111 | +--- |
| 112 | + |
| 113 | +### 3. Review Output File Locations |
| 114 | + |
| 115 | +Check whether image files were written to: |
| 116 | + |
| 117 | +- `%TEMP%` |
| 118 | +- Downloads |
| 119 | +- Desktop |
| 120 | +- AppData |
| 121 | +- Shared folders |
| 122 | +- Staging directories |
| 123 | + |
| 124 | +Determine whether screenshots were stored in: |
| 125 | + |
| 126 | +- Expected user locations |
| 127 | +- Hidden or temporary directories |
| 128 | +- Folders associated with archive or exfiltration activity |
| 129 | + |
| 130 | +**Why this matters:** |
| 131 | +Unusual save locations can indicate staging for transfer. |
| 132 | + |
| 133 | +--- |
| 134 | + |
| 135 | +### 4. Determine Whether the Activity Is Expected |
| 136 | + |
| 137 | +Validate whether the activity aligns to: |
| 138 | + |
| 139 | +- Help desk support |
| 140 | +- Documentation workflows |
| 141 | +- User training |
| 142 | +- Internal knowledge base creation |
| 143 | +- Approved remote support tooling |
| 144 | + |
| 145 | +**Why this matters:** |
| 146 | +Screen capture is common in support and training contexts. |
56 | 147 |
|
57 | | -## Common False Positives |
| 148 | +--- |
58 | 149 |
|
59 | | -- legitimate screenshots by users |
60 | | -- IT support sessions |
61 | | -- training or documentation creation |
62 | | -- problem-step recording for troubleshooting |
63 | | -- approved admin or automation tooling |
| 150 | +### 5. Hunt for Related Collection Activity |
64 | 151 |
|
65 | | -## Escalation Guidance |
| 152 | +Check for nearby: |
| 153 | + |
| 154 | +- Clipboard access |
| 155 | +- Browser credential access |
| 156 | +- Archive creation |
| 157 | +- File staging |
| 158 | +- Email transfer |
| 159 | +- Cloud upload |
| 160 | +- Additional scripting activity |
| 161 | + |
| 162 | +**Why this matters:** |
| 163 | +Screen capture paired with other collection activity is more concerning. |
| 164 | + |
| 165 | +--- |
| 166 | + |
| 167 | +### 6. Assess User and Device Context |
| 168 | + |
| 169 | +Review: |
| 170 | + |
| 171 | +- Whether the host is high value |
| 172 | +- Whether the user is privileged |
| 173 | +- Whether the device has recent suspicious alerts |
| 174 | +- Whether screen capture is typical for that role |
| 175 | + |
| 176 | +**Why this matters:** |
| 177 | +Screen capture on sensitive systems can have higher impact. |
| 178 | + |
| 179 | +--- |
| 180 | + |
| 181 | +## Benign Explanations |
| 182 | + |
| 183 | +Common legitimate scenarios include: |
| 184 | + |
| 185 | +1. Legitimate user screenshots |
| 186 | +2. Support, documentation, or training workflows |
| 187 | +3. Approved remote support tooling capturing user screens |
| 188 | + |
| 189 | +--- |
| 190 | + |
| 191 | +## Suspicious Indicators |
| 192 | + |
| 193 | +Escalate concern when you observe: |
| 194 | + |
| 195 | +- Scripted or repeated screenshot capture |
| 196 | +- Rare utilities such as `nircmd.exe` |
| 197 | +- Execution from temp or suspicious paths |
| 198 | +- Screenshots saved into staging folders |
| 199 | +- Clipboard, credential, or exfiltration activity nearby |
| 200 | +- Other malware indicators on the host |
| 201 | + |
| 202 | +--- |
| 203 | + |
| 204 | +## Triage Decision |
| 205 | + |
| 206 | +### Close as Benign / False Positive |
| 207 | + |
| 208 | +Close as benign when: |
| 209 | + |
| 210 | +- The activity aligns to user, help desk, or documentation workflows |
| 211 | +- The utility and save path are expected |
| 212 | +- No related suspicious behavior is present |
| 213 | + |
| 214 | +### Escalate as Suspicious |
66 | 215 |
|
67 | 216 | Escalate when: |
68 | | -- capture tools are launched by unusual parent processes |
69 | | -- capture activity is scripted or hidden |
70 | | -- images are staged for outbound transfer |
71 | | -- the affected host or account is high-value |
72 | | -- the activity is paired with credential access or remote-control behavior |
73 | 217 |
|
74 | | -## Recommended Enrichment |
| 218 | +- Screen capture is uncommon for the host |
| 219 | +- Activity appears scripted or automated |
| 220 | +- Files are saved to suspicious locations |
| 221 | +- Collection or transfer behavior is nearby |
| 222 | + |
| 223 | +### Escalate as Likely Malicious |
| 224 | + |
| 225 | +Escalate as likely malicious when: |
| 226 | + |
| 227 | +- Evidence shows automated screen collection |
| 228 | +- The activity is part of a broader attack chain |
| 229 | +- Exfiltration or credential theft indicators are present |
| 230 | + |
| 231 | +--- |
| 232 | + |
| 233 | +## Response Actions |
| 234 | + |
| 235 | +Depending on findings, consider: |
| 236 | + |
| 237 | +- Isolating the host if malicious collection is suspected |
| 238 | +- Collecting the executed binary and command line artifacts |
| 239 | +- Reviewing saved screenshots and staging paths |
| 240 | +- Hunting for similar utilities across the environment |
| 241 | +- Escalating to incident response if coordinated collection is confirmed |
| 242 | + |
| 243 | +--- |
| 244 | + |
| 245 | +## Example Analyst Notes Template |
| 246 | + |
| 247 | +### Analyst Summary |
75 | 248 |
|
76 | | -- process tree |
77 | | -- written image or recording files |
78 | | -- destination folders |
79 | | -- recent outbound network activity |
80 | | -- remote access tool presence |
81 | | -- related alerts on the same host |
82 | | -- user role and host sensitivity |
| 249 | +Alert fired for suspicious screen capture utility execution, potentially indicating collection of user session data or on-screen sensitive information. |
83 | 250 |
|
84 | | -## ATT&CK Mapping |
| 251 | +### Key Findings |
85 | 252 |
|
86 | | -- Collection |
87 | | -- T1113 – Screen Capture |
| 253 | +- **Affected device:** |
| 254 | +- **Affected user:** |
| 255 | +- **Utility executed:** |
| 256 | +- **Command line:** |
| 257 | +- **Initiating process:** |
| 258 | +- **Screenshot save path:** |
| 259 | +- **Expected business purpose:** |
| 260 | +- **Nearby collection or exfiltration activity:** |
| 261 | +- **Final assessment:** |
88 | 262 |
|
89 | | -## Related Rule |
| 263 | +### Recommended Disposition |
90 | 264 |
|
91 | | -- `detections/sentinel/collection/screen-capture-utility-execution.yml` |
| 265 | +- Benign / False Positive |
| 266 | +- Suspicious - Needs Deeper Investigation |
| 267 | +- Confirmed Malicious |
0 commit comments