Home >
Enterprise >
Participants >
ReaQta >
Screen Capture (T1113)
|
|
Carbanak+FIN7 |
||||
Step | ATT&CK Pattern |
|
||
2.B.4
|
Tactic Collection (TA0009) |
|
||
9.A.4
|
Tactic Collection (TA0009) |
|
||
13.B.4
|
Tactic Collection (TA0009) |
|
||
18.A.2
|
Tactic Collection (TA0009) |
|
APT29 |
||||
Step | ATT&CK Pattern |
|
||
7.A.1
|
Tactic Collection (TA0009) |
|
Procedure
Captured and saved screenshots using PowerShell
Criteria
powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Footnotes
- Vendor stated that more information for this behavior would be available using their NanoOS capability, which did not run under the evaluation's Hyper-Visor.
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.

