Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Screen Capture with Xwd

Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Pawel MazurCreated Mon Sep 13Updated Sun Dec 18e2f17c5d-b02a-442b-9052-6eb89c9fec9clinux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic3 selectors
detection:
    selection:
        type: EXECVE
        a0: xwd
    xwd_root_window:
        a1: '-root'
        a2: '-out'
        a3|endswith: '.xwd'
    xwd_no_root_window:
        a1: '-out'
        a2|endswith: '.xwd'
    condition: selection and 1 of xwd_*
False Positives

Legitimate use of screenshot utility

References
1
Resolving title…
github.com
2
Resolving title…
linux.die.net
MITRE ATT&CK
Rule Metadata
Rule ID
e2f17c5d-b02a-442b-9052-6eb89c9fec9c
Status
test
Level
low
Type
Detection
Created
Mon Sep 13
Modified
Sun Dec 18
Author
Pawel Mazur
Path
rules/linux/auditd/execve/lnx_auditd_screencaputre_xwd.yml
Raw Tags
attack.collectionattack.t1113
View on GitHub