View on MITRE ATT&CK

T1113 - Screen Capture

Tactics:
Collection
Platforms:
Linux Windows macOS
Detection:
Not specified
Description:
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
Used by Actors (18)
APT28
Nation-state
FIN7
Criminal
OilRig
Nation-state
Gamaredon Group
Unknown
Kimsuky
Nation-state
MuddyWater
Nation-state
Dark Caracal
Unknown
APT39
Unknown
Group5
Unknown
GOLD SOUTHFIELD
Unknown
APT42
Nation-state
Volt Typhoon
Unknown
MoustachedBouncer
Nation-state
Winter Vivern
Unknown
Dragonfly
Unknown
Silence
Unknown
Magic Hound
Unknown
BRONZE BUTLER
Unknown
Malware (20)
RCSession other QuietSieve other GRIFFON other yty other DOGCALL other POWRUNER other SharpStage other HALFBAKED other KEYMARBLE other Ursnif other ZLib other RedLeaves other Zeus Panda other Havoc other Matryoshka other Janicab other TONESHELL other Kasidet other RainyDay other AppleSeed other
Metadata
MITRE ID: T1113
STIX ID: attack-pattern--0259baeb-9f63-...
Platforms: Linux, Windows, macOS
Created: 13/01/2026 17:48
Updated: 06/03/2026 16:00