T1113: T1113

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:31 · Modified 27/03/2026 01:07

Essential information

MITRE technique ID: T1113
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:31
Modified: 27/03/2026 01:07
Author / Source: The MITRE Corporation

Aliases

Screen Capture

Platforms

windows macos linux

Description

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen`, `xwd`, or `screencapture`.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

Antiquated Mac Malware
CopyFromScreen .NET
mitre-attack (T1113)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (61)

ANTONIO EDUARDO FREDERICO uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SideCopy uses

The MITRE Corporation Confidence 100

[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Andariel uses Silent ChollimaPLUTONIUM

The MITRE Corporation Confidence 100

[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Team46 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Pensive Ursa uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FakeTicketer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Batavia uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Blizzard uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
zEus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-00 (OceanLotus) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-60 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Banshee uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 61

XMRig uses

Family
PteroPSLoad uses

Family
XcLoader uses

Family
Remus uses

Family
Xehook uses
HelloDoor uses

Family
DownExPyer uses

Family
Woody RAT uses
PteroPowder uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ToneShell uses

Family
Skitnet uses

Family
NightClub uses

Family The MITRE Corporation Confidence 100

[NightClub](https://attack.mitre.org/software/S1090) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2014.(Citation: MoustachedBouncer ESET August 2023)

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 7

1–12 of 80

Inside OnyxC2: The New Stealer Targeting 210 Apps related

15 MITREs 1 Malware 4 Observables
Threat Actors Weaponize AI Hype to Deliver AsyncRAT related

AlienVault Confidence 100 19 MITREs 1 Malware 6 IOCs 6 Observables
Argamal: Malware hidden in hentai games related

1 CVE 19 MITREs 2 Malwares 2 Observables
Impersonation, Click Hijacking, and TDS: Inside a Malware … related

AlienVault Confidence 100 20 MITREs 3 Malwares 64 IOCs 64 Observables
TA4922: The Suspected Chinese Crime Group is Going … related

AlienVault Confidence 100 23 MITREs 8 Malwares 23 IOCs 23 Observables 1 APT
Nimbus RAT: How Threat Actors Are Abusing Microsoft … related

30 MITREs 1 Malware 3 Observables
Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal … related

AlienVault Confidence 100 23 MITREs 1 Malware 8 IOCs 8 Observables
Tracking TamperedChef Clusters via Certificate and Code Reuse related

1 CVE 21 MITREs 22 Malwares 3 Observables
Inside Banana RAT: From Build Server to Banking … related

20 MITREs 8 Malwares 8 Observables 1 APT
Cato CTRL Threat Research: Suspected China-Linked Threat Actor … related

AlienVault Confidence 100 17 MITREs 1 Malware 53 IOCs 53 Observables
Kazuar: Anatomy of a nation-state botnet related

AlienVault Confidence 100 24 MITREs 2 Malwares 4 IOCs 4 Observables 1 APT
Disclosing new PebbleDash-based tools related

AlienVault Confidence 100 20 MITREs 16 Malwares 25 IOCs 25 Observables 1 APT

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (71)

CVE-2025-4632 targets

9.8 Critical

Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write …

Published: 13/05/2025
Modified: 13/05/2025

Received

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2025-20337 KEV targets

10.0 Critical

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code …

Attack vector: Network
Published: 28/07/2025
Modified: 21/12/2025

Analyzed

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

CVE-2022-1388 KEV targets

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …

Published: 10/05/2022
Modified: 20/12/2025

CVE-2023-39143 targets

9.8 Critical

PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This …

Attack vector: NETWORK
Published: 04/08/2023
Modified: 08/05/2026

CVE-2023-3420 targets

8.8 High

Type Confusion in V8 in Google Chrome prior to 114.0.5735.198 allowed a remote attacker to potentially exploit heap corruption via a crafted …

Attack vector: NETWORK
Published: 26/06/2023
Modified: 21/12/2025

CVE-2025-8110 KEV targets

8.7 High

Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.

Attack vector: NETWORK
Published: 20/12/2025
Modified: 22/01/2026

Awaiting Analysis

CVE-2024-47575 KEV targets

9.8 Critical

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager …

Attack vector: Network
Published: 23/10/2024
Modified: 21/12/2025

Analyzed

CVE-2020-6418 KEV targets

Google Chromium V8 Engine contains a type confusion vulnerability allows a remote attacker to potentially exploit heap corruption via a crafted HTML …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-20333 KEV targets

9.9 Critical

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2025-61882 KEV targets

9.8 Critical

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. …

Attack vector: Network
Published: 06/10/2025
Modified: 21/12/2025

Modified

← Previous

Page / 6

13–24 of 71

Quick Assist uses

The MITRE Corporation Confidence 100

[Quick Assist](https://attack.mitre.org/software/S1209) is a remote assistance tool primarily for Microsoft Windows, although a macOS version also exists. [Quick Assist](https://attack.mitre.org/software/S1209) allows for remote screen sharing and, with end user…

Contact About Legal notice Privacy policy Terms of use

T1113: T1113

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (61)

Malware (80)

Reports (50)

Vulnerabilities (CVE) (71)

Tool (1)