Home >
Enterprise >
Participants >
Bitdefender >
Screen Capture (T1113)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.B.4
|
Tactic Collection (TA0009) |
|
||||||
9.A.4
|
Tactic Collection (TA0009) |
|
||||||
13.B.4
|
Tactic Collection (TA0009) |
|
||||||
18.A.2
|
Tactic Collection (TA0009) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
7.A.1
|
Tactic Collection (TA0009) |
|
Procedure
Captured and saved screenshots using PowerShell
Criteria
powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
Procedure
Captured and saved screenshots using PowerShell
Criteria
powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]

