legitimate user activity taking screenshots

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml>sigma
technicques: t1113

Techniques

Detects attempts to use screencapture to collect macOS screenshots

condition: selection
selection:
  Image: /usr/sbin/screencapture