MITRE ATT&CK™ Analysis

Screen Capture

An adversary may take screen captures either to gather sensitive information or get a graphical view of what type of system they have access to. There are multiple ways this can be done from inbuilt remote access tools, to PowerShell and standalone 3rd party binaries.

Screen Capture Analysis

Lab Example


In this example we have 3 different methods of taking a ScreenShot after compromising a system. These are PowerShell, 3rd Party Binaries, or inbuilt into our RAT.

By testing all methods we can see some subtle differences in their output.

PowerShell Solution:

# First solution by: 
# Modified solution used below by

[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing") 
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") 
function screenshot($path) 
    $width = 0;
    $height = 0;
    $workingAreaX = 0;
    $workingAreaY = 0;

    $screen = [System.Windows.Forms.Screen]::AllScreens;

    foreach ($item in $screen)
        if($workingAreaX -gt $item.WorkingArea.X)
            $workingAreaX = $item.WorkingArea.X;

        if($workingAreaY -gt $item.WorkingArea.Y)
            $workingAreaY = $item.WorkingArea.Y;

        $width = $width + $item.Bounds.Width;

        if($item.Bounds.Height -gt $height)
            $height = $item.Bounds.Height;

    $bounds = [Drawing.Rectangle]::FromLTRB($workingAreaX, $workingAreaY, $width, $height); 
    $bmp = New-Object Drawing.Bitmap $width, $height;
    $graphics = [Drawing.Graphics]::FromImage($bmp);

    $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size);



3rd Party Binary Solution:

NirSoft NirCmd

Inbuilt Solution:


In practice we can go ahead and use all 3 through a single Meterpreter Shell.

T1113 - Screen Capture

The PowerShell Solution is only around 40 lines of script.

T1113 - Screen Capture


From a defenders point of view there’s not a lot we can easily use to detect this. We could look for specific libraries used by 3rd party binaries, or look into specific API calls; however in practice we would largely need to use contextual data around the event or the ScreenShots themselves to confirm this has taken place.

T1113 - Screen Capture