Screen Capture

Screen Capture
Technique
ID	T0852
Tactic	Collection
Data Sources	Command: Command Execution, Process: OS API Execution
Asset	Human-Machine Interface

Description

Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information.1 Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.

Procedure Examples

ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs.21
APT33 utilize backdoors capable of capturing screenshots once installed on a system.34
Dragonfly 2.0 has been reported to take screenshots of the GUI for ICS equipment, such as HMIs.5

Mitigations

Mitigation Limited or Not Effective - Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.

References

v · d · e Adversary Techniques

Initial Access	Drive-by Compromise Exploit Public-Facing Application Exploitation of Remote Services External Remote Services Initial Access Internet Accessible Device Remote Services Replication Through Removable Media Rogue Master Spearphishing Attachment Supply Chain Compromise Transient Cyber Asset Wireless Compromise

Execution	Change Operating Mode Command-Line Interface Execution Execution through API Graphical User Interface Hooking Modify Controller Tasking Native API Scripting User Execution

Persistence	Modify Program Module Firmware Persistence Project File Infection System Firmware Valid Accounts

Evasion	Change Operating Mode Evasion Exploitation for Evasion Indicator Removal on Host Masquerading Rootkit Spoof Reporting Message

Discovery	Discovery Network Connection Enumeration Network Sniffing Remote System Discovery Remote System Information Discovery Wireless Sniffing

Lateral Movement	Default Credentials Exploitation of Remote Services Lateral Movement Lateral Tool Transfer Program Download Remote Services Valid Accounts

Collection	Automated Collection Collection Data from Information Repositories Detect Operating Mode I/O Image Man in the Middle Monitor Process State Point & Tag Identification Program Upload Screen Capture Wireless Sniffing

Inhibit Response Function	Activate Firmware Update Mode Alarm Suppression Block Command Message Block Reporting Message Block Serial COM Data Destruction Denial of Service Device Restart/Shutdown Inhibit Response Function Manipulate I/O Image Modify Alarm Settings Rootkit Service Stop System Firmware

Impair Process Control	Brute Force I/O Impair Process Control Modify Parameter Module Firmware Spoof Reporting Message Unauthorized Command Message

Impact	Damage to Property Denial of Control Denial of View Impact Loss of Availability Loss of Control Loss of Productivity and Revenue Loss of Protection Loss of Safety Loss of View Manipulation of Control Manipulation of View Theft of Operational Information

Description

Procedure Examples

Mitigations

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

ATT&CK™

Resources

Tools