🍎

T1113

Input Capture

Description from ATT&CK

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

Tests

Test #1 - Take screenshot

Capture screenshot using System Events

⚠️ TCC Required 
tell application "System Events" to key code 20 using {command down, shift down}

Download Files

Download .scpt Download .swift Download Binary Download Application Bundle

References

T1087.001

Account Discovery Local Account

T1115

Clipboard Data

On this page

Description from ATT&CK
Tests
Test #1 - Take screenshot
References