Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. tactic: TA0009 ✕ technique: T1113 ✕
Show ATT&CK heatmapA user took numerous screenshots Informational Identity Threat Module
A user took numerous screenshots. A valuable organization's information may have been collected in this way.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Screen Capture (T1113) Data Staged: Local Data Staging (T1074.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Collect data and stage it on an endpoint in the organization.Investigative actions: Check whether this activity fits the user profile. Check for any other suspicious activity related to the host and the user involved in the alert. Check if there was a suspicious file upload following the massive screenshot activity. Check whether other users in the organization used the same process for file activity.Possible collection of screen captures with Windows Problem Steps Recorder Medium
Windows Problem Steps Recorder (psr.exe), can record screen and clicks. Adversaries may abuse psr.exe to create screen captures and collect them afterward.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009)ATT&CK techniques: Screen Capture (T1113)Required data: XDR AgentAttacker's goals: Evading security controls and collecting screen captures of the desktop.Investigative actions: Check the causality of execution and if the TSS script was executed (Microsoft Troubleshooting Script). If output parameters in the command line are executed by the user. If the parent process is known in the organization as a support tool.