T1113: T1113

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:31 · Modified 27/03/2026 01:07

Essential information

MITRE technique ID: T1113
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:31
Modified: 27/03/2026 01:07
Author / Source: The MITRE Corporation

Aliases

Screen Capture

Platforms

windows macos linux

Description

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen`, `xwd`, or `screencapture`.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

Antiquated Mac Malware
CopyFromScreen .NET
mitre-attack (T1113)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (61)

ANTONIO EDUARDO FREDERICO uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SideCopy uses

The MITRE Corporation Confidence 100

[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Andariel uses Silent ChollimaPLUTONIUM

The MITRE Corporation Confidence 100

[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Team46 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Pensive Ursa uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FakeTicketer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Batavia uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Blizzard uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
zEus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-00 (OceanLotus) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-60 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Banshee uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 61

XMRig uses

Family
PteroPSLoad uses

Family
XcLoader uses

Family
Remus uses

Family
Xehook uses
HelloDoor uses

Family
DownExPyer uses

Family
Woody RAT uses
PteroPowder uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ToneShell uses

Family
Skitnet uses

Family
NightClub uses

Family The MITRE Corporation Confidence 100

[NightClub](https://attack.mitre.org/software/S1090) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2014.(Citation: MoustachedBouncer ESET August 2023)

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 80

Inside OnyxC2: The New Stealer Targeting 210 Apps related

15 MITREs 1 Malware 4 Observables
Threat Actors Weaponize AI Hype to Deliver AsyncRAT related

AlienVault Confidence 100 19 MITREs 1 Malware 6 IOCs 6 Observables
Argamal: Malware hidden in hentai games related

1 CVE 19 MITREs 2 Malwares 2 Observables
Impersonation, Click Hijacking, and TDS: Inside a Malware … related

AlienVault Confidence 100 20 MITREs 3 Malwares 64 IOCs 64 Observables
TA4922: The Suspected Chinese Crime Group is Going … related

AlienVault Confidence 100 23 MITREs 8 Malwares 23 IOCs 23 Observables 1 APT
Nimbus RAT: How Threat Actors Are Abusing Microsoft … related

30 MITREs 1 Malware 3 Observables
Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal … related

AlienVault Confidence 100 23 MITREs 1 Malware 8 IOCs 8 Observables
Tracking TamperedChef Clusters via Certificate and Code Reuse related

1 CVE 21 MITREs 22 Malwares 3 Observables
Inside Banana RAT: From Build Server to Banking … related

20 MITREs 8 Malwares 8 Observables 1 APT
Cato CTRL Threat Research: Suspected China-Linked Threat Actor … related

AlienVault Confidence 100 17 MITREs 1 Malware 53 IOCs 53 Observables
Kazuar: Anatomy of a nation-state botnet related

AlienVault Confidence 100 24 MITREs 2 Malwares 4 IOCs 4 Observables 1 APT
Disclosing new PebbleDash-based tools related

AlienVault Confidence 100 20 MITREs 16 Malwares 25 IOCs 25 Observables 1 APT

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (71)

CVE-2019-18935 KEV targets

Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2022-43704

targets

CVE-2024-40711 KEV targets

9.8 Critical

Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.

Attack vector: Network
Published: 17/10/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2025-14174 targets

8.8 High

Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out …

Published: 12/12/2025
Modified: 15/12/2025

Analyzed

CVE-2017-5030 KEV targets

8.8 High

Google Chromium V8 Engine contains a memory corruption vulnerability that allows a remote attacker to execute code via a crafted HTML page. …

Attack vector: NETWORK
Complexity: LOW
Published: 25/04/2017
Modified: 22/04/2026

CWE-125

CVE-2025-43520 targets

7.1 High

A memory corruption issue was addressed with improved memory handling. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, …

Published: 12/12/2025
Modified: 16/12/2025

Analyzed

CVE-2024-7344 targets

8.2 High

Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.

Attack vector: LOCAL
Published: 14/01/2025
Modified: 21/12/2025

Analyzed

CVE-2025-29824 KEV targets

7.8 High

Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.

Attack vector: Local
Published: 08/04/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2022-41352 KEV targets

9.8 Critical

Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other …

Attack vector: Network
Published: 20/10/2022
Modified: 20/12/2025

CVE-2025-20362 KEV targets

6.5 Medium

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

← Previous

Page / 6

1–12 of 71

Quick Assist uses

The MITRE Corporation Confidence 100

[Quick Assist](https://attack.mitre.org/software/S1209) is a remote assistance tool primarily for Microsoft Windows, although a macOS version also exists. [Quick Assist](https://attack.mitre.org/software/S1209) allows for remote screen sharing and, with end user…

Contact About Legal notice Privacy policy Terms of use

T1113: T1113

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (61)

Malware (80)

Reports (50)

Vulnerabilities (CVE) (71)

Tool (1)