Detecting Windows Screen Capture via PowerShell Script
This analytic detects the execution of a PowerShell script designed to capture screen images on a host, leveraging PowerShell Script Block Logging to identify specific script block text patterns associated with screen capture activities, potentially indicating an attempt to exfiltrate sensitive information via desktop screenshots.
This detection focuses on identifying PowerShell scripts used to capture screen images on Windows systems. The technique involves leveraging the .NET framework's drawing capabilities within PowerShell to create screenshots. While legitimate uses exist, adversaries can employ this method to exfiltrate sensitive visual data from compromised systems. The detection relies on PowerShell Script Block Logging (EventCode 4104) to analyze script content for specific patterns related to screen capture functions. Successful execution can lead to unauthorized access to sensitive information displayed on the screen, potentially leading to data breaches. Several threat actors, including APT37 (Rustonotto), Winter Vivern, Water Gamayun, and BlankGrabber Stealer, have been known to utilize PowerShell for malicious activities, including information gathering.
Attack Chain
- Initial Access: The attacker gains initial access to the target system, potentially through methods like exploiting vulnerabilities or using stolen credentials.
- Privilege Escalation (Optional): Depending on the attacker's initial privileges, they may attempt to escalate privileges to gain necessary permissions for executing the screen capture script effectively.
- PowerShell Execution: The attacker executes a PowerShell script on the compromised host.
- Screen Capture Implementation: The PowerShell script utilizes .NET libraries (
System.Drawing) to capture screen images. The script often contains commands that create aBitmapobject, get aGraphicsobject from it, and then useCopyFromScreento copy the screen content. - Data Staging: The captured screenshot is saved to a file on the local system, often in a common image format like PNG or JPG.
- Obfuscation/Encoding (Optional): The attacker might encode or obfuscate the captured image to evade detection during exfiltration.
- Data Exfiltration: The screenshot is exfiltrated from the compromised system using various methods, such as uploading to a remote server, sending via email, or transferring through other network protocols.
- Cleanup: The attacker might delete the PowerShell script and the captured screenshot to remove traces of their activity.
Impact
Successful exploitation allows attackers to capture sensitive information displayed on the screen, including credentials, financial data, personal information, and confidential documents. This can lead to data breaches, identity theft, financial loss, and reputational damage. The number of victims can vary depending on the scope of the attack, ranging from individual users to entire organizations. Targeted sectors may include finance, healthcare, government, and technology.
Recommendation
- Enable PowerShell Script Block Logging (EventCode 4104) to collect the necessary data for the provided Sigma rules and Splunk search (https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba).
- Deploy the Sigma rule "Detect PowerShell Screen Capture via Drawing Methods" to identify screen capture attempts based on specific drawing API calls within PowerShell scripts.
- Investigate any identified PowerShell screen capture activity to determine its legitimacy and potential impact.
- Block execution of unsigned or untrusted PowerShell scripts to prevent malicious code from running on endpoints.
Detection coverage 2
Detect PowerShell Screen Capture via Drawing Methods
highDetects PowerShell scripts using drawing methods to capture screenshots.
Detect PowerShell Screen Capture via Windows API Calls
mediumDetects PowerShell scripts using Windows API calls (Add-Type) to capture screenshots.
Detection queries are available on the platform. Get full rules →