heroui logo

Screen Capture - macOS

Sigma Rules

View Source
Summary
This detection rule is designed to identify attempts to use the macOS command-line utility 'screencapture' for taking screenshots. The 'screencapture' utility is often used for legitimate purposes, but it can also be exploited by malicious actors to capture sensitive information displayed on the screen without the user's knowledge. The rule listens for process creation events where the image path matches '/usr/sbin/screencapture', which is the default location of the 'screencapture' binary on macOS systems. This detection is categorized under the techniques for data collection in cybersecurity, specifically following the MITRE ATT&CK framework's T1113 technique for screen capture. To mitigate false positives, it's noted that legitimate users may trigger this detection when taking screenshots for valid reasons.
Categories
  • macOS
  • Endpoint
Data Sources
  • Process
ATT&CK Techniques
  • T1113
Created: 2020-10-13