AN0981: Analytic 0981

This analytic is about spotting suspicious macOS screen-capture behavior, especially when built-in tools such as screencapture or undocumented APIs are invoked by unusual parent processes. For leaders, the value is not just detecting a command: it is validating whether the organization can see when endpoints may be used to collect sensitive on-screen information.

Executive priority

Prioritize this where macOS systems handle sensitive data, privileged administration, executive communications, regulated information, or operational workflows. The business question is whether the SOC and incident response teams can prove they have enough endpoint visibility to investigate suspicious screen-capture activity and distinguish legitimate user or support activity from abnormal parent-process behavior.

Technical view

Because the official object provides no detection logic and no ATT&CK tactic, defenders should treat AN0981 as a validation prompt for macOS endpoint telemetry. Confirm visibility into process creation, command-line arguments, parent-child process relationships, and evidence of screen-capture API or screencapture usage where available. Detection engineering should focus on suspicious parent processes launching built-in screen-capture functionality rather than alerting on all screen captures, which may create high false positives.

Likely telemetry

macOS process creation events
Command-line arguments for built-in tools such as screencapture
Parent and child process relationships
Endpoint security or EDR events showing process lineage
Application or API activity related to screen capture where available

Detection direction

Validate whether macOS telemetry captures process lineage and command-line detail reliably enough to identify unusual parents invoking screencapture.
Build allowlists or baselines for known legitimate screen-capture sources, such as expected user actions or approved support/workflow tools, before escalating abnormal parent processes.
Investigate suspicious parent processes, unexpected automation contexts, or screen-capture activity occurring outside normal user-driven workflows.
Account for blind spots where undocumented API usage may not create the same process command evidence as direct screencapture execution.
Correlate with endpoint context and user activity before treating a screen-capture event as malicious, because legitimate macOS use can resemble the behavior at a command level.

Mitigation priorities

Ensure managed macOS endpoints have endpoint telemetry capable of recording process lineage and command-line execution.
Review macOS privacy and screen-recording permissions for applications that do not require them.
Restrict or remove unnecessary tools, scripts, or applications that can initiate screen capture from unmanaged or untrusted contexts.
Use incident response playbooks to triage suspicious screen-capture activity with user, process, and device context.
Maintain compliance evidence showing which macOS systems have monitoring coverage for sensitive data exposure scenarios.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a full technique description. Its concrete signal is limited to suspicious macOS invocation of built-in commands like screencapture or use of undocumented APIs from suspicious parent processes. No relationships, tactics, or official detection implementation were supplied, so local baselining and telemetry validation are essential.

Official detection content is not provided, relationship context is absent, and the only supported platform is macOS. This take should not be read as proof of active exploitation, attribution, business impact, or existing detection coverage in any environment.

Official MITRE ATT&CK definition

Analytic 0981

Invocation of built-in commands like screencapture or use of undocumented APIs from suspicious parent processes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 86fe3b1d9dbd8966...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`86fe3b1d9dbd…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0981
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams