This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.
Screen Capture
Jump to navigation
Jump to search
To visit this technique’s new page please go to and update your links to https://attack.mitre.org/techniques/T0852
Screen Capture | |
---|---|
Technique | |
ID | T0852 |
Tactic | Collection |
Data Sources | Command: Command Execution, Process: OS API Execution |
Asset | Human-Machine Interface |
Description
Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information.1 Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.
Procedure Examples
- ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs.21
- APT33 utilize backdoors capable of capturing screenshots once installed on a system.34
- Dragonfly 2.0 has been reported to take screenshots of the GUI for ICS equipment, such as HMIs.5
Mitigations
- Mitigation Limited or Not Effective - Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.
References
- a b ICS-CERT. (2017, October 21). Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 23, 2017.
- ^ Dragos. (n.d.). Allanite. Retrieved October 27, 2019.
- ^ Jacqueline O'Leary et al.. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved December 2, 2019.
|