Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Screen Capture with Import Tool

Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Pawel MazurCreated Tue Sep 21Updated Sun Oct 09dbe4b9c5-c254-4258-9688-d6af0b7967fdlinux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic3 selectors
detection:
    import:
        type: EXECVE
        a0: import
    import_window_root:
        a1: '-window'
        a2: 'root'
        a3|endswith:
            - '.png'
            - '.jpg'
            - '.jpeg'
    import_no_window_root:
        a1|endswith:
            - '.png'
            - '.jpg'
            - '.jpeg'
    condition: import and (import_window_root or import_no_window_root)
False Positives

Legitimate use of screenshot utility

References
1
Resolving title…
github.com
2
Resolving title…
linux.die.net
3
Resolving title…
imagemagick.org
MITRE ATT&CK
Rule Metadata
Rule ID
dbe4b9c5-c254-4258-9688-d6af0b7967fd
Status
test
Level
low
Type
Detection
Created
Tue Sep 21
Modified
Sun Oct 09
Author
Pawel Mazur
Path
rules/linux/auditd/execve/lnx_auditd_screencapture_import.yml
Raw Tags
attack.collectionattack.t1113
View on GitHub