Detection: Windows Screen Capture Via Powershell

Date: 2024-02-01 ID: 678ae7c6-0e63-44db-9881-03202c312f66 Author: Teoderick Contreras, Splunk Type: TTP Product: Splunk User Behavior Analytics

Description

The following analytic identifies a potential PowerShell script that captures screen images on compromised or targeted hosts. This technique was observed in the Winter-Vivern malware, which attempts to capture desktop screens using a PowerShell script and send the images to its C2 server as part of its exfiltration strategy. This TTP serves as a useful indicator that a PowerShell process may be gathering desktop screenshots from a host system, potentially signaling malicious activity.

Annotations

No annotations available.

Implementation

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.

Known False Positives

unknown

Associated Analytic Story

Winter Vivern

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
A PowerShell script was identified possibly performing screen captures on $Computer$.	49	70	70

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Version: 1