Take screenshot

Hunt Hypothesis

The Take screenshot rule detects an adversary attempting to capture screenshots of a victim’s system to exfiltrate sensitive information or gather visual context during an attack. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or reconnaissance activities early in the attack lifecycle.

YARA Rule

rule screenshot {
    meta:
        author = "x0r"
        description = "Take screenshot"
	version = "0.1"
    strings:
        $d1 = "Gdi32.dll" nocase
        $d2 = "User32.dll" nocase
        $c1 = "BitBlt"
        $c2 = "GetDC"
    condition:
        1 of ($d*) and 1 of ($c*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System Administrator Takes Screenshot During Troubleshooting
  Description: An admin uses a tool like Snipping Tool or Greenshot to capture a screenshot of a system error or application interface for troubleshooting.
  Filter/Exclusion: Exclude processes associated with known admin tools (e.g., snippingtool.exe, greenshot.exe) or check for user context (e.g., user == "Administrator").

• Scenario: Scheduled Job Captures Screenshot for Reporting
  Description: A scheduled task runs a script using Powershell or Python with a library like Pillow to generate a screenshot for a report or dashboard.
  Filter/Exclusion: Exclude processes with a command line containing keywords like "report", "generate", or "screenshot", or filter by process name (e.g., powershell.exe with specific arguments).

• Scenario: User Takes Screenshot for Documentation or Training
  Description: A user uses Microsoft OneNote or Adobe Photoshop to take a screenshot for documentation or training purposes.
  Filter/Exclusion: Exclude processes associated with documentation tools (e.g., onenote.exe, photoshop.exe) or check for user roles (e.g., user == "Training") or user == "Documentation".

• Scenario: Security Tool or SIEM Integration Takes Screenshot
  Description: A security tool like Splunk or ELK Stack uses a script to capture a screenshot of a dashboard or alert for analysis.
  Filter/Exclusion: Exclude processes related to SIEM tools (e.g., splunkd.exe, elasticsearch.exe) or check for specific command-line arguments or environment variables indicating a legitimate use case.

• Scenario: Remote Desktop Session Captures Screenshot
  **Description