This site has been deprecated in favor of and will remain in place until 11/1/22.

Screen Capture

From attackics
Revision as of 18:35, 20 October 2021 by Jsteele (talk | contribs) (Text replacement - "Process:" to "[ Process]:")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to

Screen Capture
ID T0852
Tactic Collection
Data Sources Command: Command Execution, Process: OS API Execution
Asset Human-Machine Interface


Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information.1 Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.

Procedure Examples

  • ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs.21
  • APT33 utilize backdoors capable of capturing screenshots once installed on a system.34
  • Dragonfly 2.0 has been reported to take screenshots of the GUI for ICS equipment, such as HMIs.5


  • Mitigation Limited or Not Effective - Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.