Techniques
Sample rules
Screen Capture with Import Tool
- source: sigma
- technicques:
- t1113
Description
Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
Detection logic
condition: import and (import_window_root or import_no_window_root)
import:
a0: import
type: EXECVE
import_no_window_root:
a1|endswith:
- .png
- .jpg
- .jpeg
import_window_root:
a1: -window
a2: root
a3|endswith:
- .png
- .jpg
- .jpeg
Screen Capture with Xwd
- source: sigma
- technicques:
- t1113
Description
Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
Detection logic
condition: selection and 1 of xwd_*
selection:
a0: xwd
type: EXECVE
xwd_no_root_window:
a1: -out
a2|endswith: .xwd
xwd_root_window:
a1: -root
a2: -out
a3|endswith: .xwd