MITRE ATT&CK: Screen capture

Introduction 

There is an old saying that goes “a picture is worth a thousand words.” In many ways, this saying is true: you can learn a great deal about a person or situation if you have a picture that captures an accurate view of things. Attackers and malicious hackers must know this saying well, because many attack campaigns in recent years have fully integrated screen capture capabilities into their campaign operations. 

MITRE ATT&CK has included screen capture in its attack matrix. This article will detail this attack technique, including what the MITRE ATT&CK matrix is, the dangers of system feature abuse, how various attack campaigns have used screen capture and tips for the mitigation and detection for a screen capture attack.

What is MITRE ATT&CK?

MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.

To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use. 

More information on the MITRE ATT&CK matrix can be found here.

Dangers of abuse of system features

Before we discuss the screen capture attack technique in any detail, we first have to discuss what makes it so dangerous. This attack technique is considered an “abuse of system features” technique. What this means is that the attacker or malicious hacker is leveraging the inherent features of the compromised system against itself. It is sort of like jujitsu or judo, where the opponent’s inherent (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/C9oW441xlig/