This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.

Screen Capture

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to https://attack.mitre.org/techniques/T0852

Screen Capture
Technique
ID T0852
Tactic Collection
Data Sources Command: Command Execution, Process: OS API Execution
Asset Human-Machine Interface

Description

Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information.1 Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.


Procedure Examples

  • ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs.21
  • APT33 utilize backdoors capable of capturing screenshots once installed on a system.34
  • Dragonfly 2.0 has been reported to take screenshots of the GUI for ICS equipment, such as HMIs.5

Mitigations

  • Mitigation Limited or Not Effective - Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.


References

  1. a b  ICS-CERT. (2017, October 21). Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 23, 2017.
  2. ^  Dragos. (n.d.). Allanite. Retrieved October 27, 2019.
  3. ^  Jacqueline O'Leary et al.. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved December 2, 2019.
  1. ^  Junnosuke Yagi. (2017, March 07). Trojan.Stonedrill. Retrieved December 5, 2019.
  2. ^  Cybersecurity & Infrastructure Security Agency. (2018, March 15). Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 11, 2019.



v · d · e
Adversary Techniques
Initial Access
Execution
Persistence
Evasion
Discovery
Lateral Movement
Collection
Inhibit Response Function
Impair Process Control
Impact


Retrieved from "https://collaborate.mitre.org/attackics/index.php?title=Technique/T0852&oldid=9763"