AN0980: Analytic 0980
Unusual use of screen capture APIs (e.g., CopyFromScreen) or command-line tools to write image files to disk.
Analyst context for executives and security teams
This analytic points to unusual screen-capture behavior on Windows, such as applications or command-line tools using screen capture APIs or saving screenshots as image files. For leaders, the practical issue is not the screenshot itself but whether the organization can tell the difference between normal business use and activity that could expose sensitive data, regulated information, privileged sessions, or incident response activity.
Executive priority
Prioritize this as a visibility and governance question: do security teams have evidence of who or what is capturing screens, where images are written, and whether that behavior is expected for the user, device, or business process? This matters for data protection, insider-risk review, incident scoping, and audit evidence around monitoring of sensitive workstations or administrative environments.
Technical view
For Windows endpoints, validate whether telemetry can identify unusual use of screen capture APIs such as CopyFromScreen and command-line or scripted activity that writes image files to disk. Since no official detection logic or ATT&CK tactic is supplied, SOC teams should build environment-specific baselines around legitimate screenshot utilities, collaboration tools, helpdesk software, browsers, RPA workflows, and accessibility tools before treating activity as suspicious.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- File creation events for image formats written to user, temporary, shared, or unusual directories
- EDR or application telemetry showing screen capture API usage where available
- Parent-child process context for command-line, scripting, remote support, or administrative tools
- User logon/session context, including interactive versus non-interactive use
Detection direction
- Baseline approved screenshot, collaboration, remote support, and productivity tools to reduce false positives.
- Look for image-file creation by unusual processes, scripts, unsigned or rarely seen binaries, or processes without a normal business reason to capture the screen.
- Prioritize events on privileged workstations, administrative sessions, finance/legal systems, or devices handling regulated data.
- Correlate screen capture activity with remote access, scripting, archive creation, or outbound transfer where local telemetry supports it.
- Account for blind spots: native API use may not be visible in standard Windows logs without EDR or application-level telemetry, and file-only detections may miss screenshots held in memory or immediately exfiltrated.
Mitigation priorities
- Define and document approved business use cases for screenshot and remote support tools.
- Use application control or software governance to limit unapproved screen capture utilities where operationally feasible.
- Harden privileged and sensitive workstations with stricter monitoring, least privilege, and controlled remote support workflows.
- Retain endpoint and file telemetry long enough to support incident response and compliance review.
- Pair detection with data handling controls, such as monitoring of sensitive directories and outbound transfer paths, rather than relying only on screenshot creation events.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, AN0980, for Windows. It describes unusual use of screen capture APIs or command-line tools writing image files to disk. No ATT&CK tactic, official detection procedure, or relationship context was supplied, so this take focuses on defensive validation and telemetry readiness rather than specific adversary tradecraft.
Assessment is limited by sparse official fields: no detection logic, no related techniques, no relationships, and no tactic mapping were provided. Local baselines are required because many legitimate applications capture or save screenshots during normal business operations.
Analytic 0980
Unusual use of screen capture APIs (e.g., CopyFromScreen) or command-line tools to write image files to disk.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3080ddeac5f1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0980Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.