Skip to content
Threat Feed
high advisory

Detecting Windows Screen Capture via PowerShell Script

This analytic detects the execution of a PowerShell script designed to capture screen images on a host, leveraging PowerShell Script Block Logging to identify specific script block text patterns associated with screen capture activities, potentially indicating an attempt to exfiltrate sensitive information via desktop screenshots.

This detection focuses on identifying PowerShell scripts used to capture screen images on Windows systems. The technique involves leveraging the .NET framework's drawing capabilities within PowerShell to create screenshots. While legitimate uses exist, adversaries can employ this method to exfiltrate sensitive visual data from compromised systems. The detection relies on PowerShell Script Block Logging (EventCode 4104) to analyze script content for specific patterns related to screen capture functions. Successful execution can lead to unauthorized access to sensitive information displayed on the screen, potentially leading to data breaches. Several threat actors, including APT37 (Rustonotto), Winter Vivern, Water Gamayun, and BlankGrabber Stealer, have been known to utilize PowerShell for malicious activities, including information gathering.

Attack Chain

  1. Initial Access: The attacker gains initial access to the target system, potentially through methods like exploiting vulnerabilities or using stolen credentials.
  2. Privilege Escalation (Optional): Depending on the attacker's initial privileges, they may attempt to escalate privileges to gain necessary permissions for executing the screen capture script effectively.
  3. PowerShell Execution: The attacker executes a PowerShell script on the compromised host.
  4. Screen Capture Implementation: The PowerShell script utilizes .NET libraries (System.Drawing) to capture screen images. The script often contains commands that create a Bitmap object, get a Graphics object from it, and then use CopyFromScreen to copy the screen content.
  5. Data Staging: The captured screenshot is saved to a file on the local system, often in a common image format like PNG or JPG.
  6. Obfuscation/Encoding (Optional): The attacker might encode or obfuscate the captured image to evade detection during exfiltration.
  7. Data Exfiltration: The screenshot is exfiltrated from the compromised system using various methods, such as uploading to a remote server, sending via email, or transferring through other network protocols.
  8. Cleanup: The attacker might delete the PowerShell script and the captured screenshot to remove traces of their activity.

Impact

Successful exploitation allows attackers to capture sensitive information displayed on the screen, including credentials, financial data, personal information, and confidential documents. This can lead to data breaches, identity theft, financial loss, and reputational damage. The number of victims can vary depending on the scope of the attack, ranging from individual users to entire organizations. Targeted sectors may include finance, healthcare, government, and technology.

Recommendation

Detection coverage 2

Detect PowerShell Screen Capture via Drawing Methods

high

Detects PowerShell scripts using drawing methods to capture screenshots.

sigma tactics: collection techniques: T1113 sources: powershell, windows

Detect PowerShell Screen Capture via Windows API Calls

medium

Detects PowerShell scripts using Windows API calls (Add-Type) to capture screenshots.

sigma tactics: collection techniques: T1113 sources: powershell, windows

Detection queries are available on the platform. Get full rules →