This site has been deprecated in favor of and will remain in place until 11/1/22.

Screen Capture

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to

Screen Capture
ID T0852
Tactic Collection
Data Sources Command: Command Execution, Process: OS API Execution
Asset Human-Machine Interface


Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information.1 Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.

Procedure Examples

  • ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs.21
  • APT33 utilize backdoors capable of capturing screenshots once installed on a system.34
  • Dragonfly 2.0 has been reported to take screenshots of the GUI for ICS equipment, such as HMIs.5


  • Mitigation Limited or Not Effective - Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.