Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0346: Detect Screen Capture via Commands and API Calls

DET0346 is a detection strategy for identifying screen capture behavior performed through commands or API calls. Its business significance is that screensh...

EnterpriseDET0346Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0346 is a detection strategy for identifying screen capture behavior performed through commands or API calls. Its business significance is that screenshots can expose sensitive data visible on user desktops, administrator consoles, cloud portals, email, chat, documents, or operational systems after an attacker already has access. Even though the ATT&CK object does not provide detailed detection logic, its relationship to T1113 Screen Capture makes it relevant to collection-stage monitoring across Windows, macOS, and Linux environments.

Executive priority

Security leaders should treat this as a validation item for post-compromise visibility: can the organization tell when an endpoint is being used to capture visible information? This matters for incident scoping, privacy and compliance evidence, executive workstation protection, administrator account monitoring, and environments where screens may expose operational or cyber-physical data. Priority should be based on where sensitive workflows occur on endpoints and whether SOC tooling captures command execution, API-relevant endpoint behavior, and suspicious screenshot artifact creation.

Technical view

The supplied ATT&CK relationship states this detection strategy detects T1113 Screen Capture, a collection technique that may use remote access tooling, native utilities, or API calls such as CopyFromScreen, xwd, or screencapture. SOC and detection engineering teams should validate visibility for command-line execution and endpoint behaviors associated with screenshot creation, especially on Windows, macOS, and Linux systems covered by the related technique. Because the official detection field is not provided, teams should avoid assuming coverage and instead test whether current EDR, endpoint logging, and SIEM content can distinguish expected user or IT activity from unusual screenshot activity by process, parent process, user context, host role, timing, and output file patterns.

Likely telemetry

  • Endpoint process creation events with command-line arguments
  • Parent-child process relationships for native screenshot utilities or scripting runtimes
  • File creation or modification events for image files produced by screenshot activity
  • Endpoint detection telemetry for screen capture API usage where available
  • User, host, and session context for interactive desktop activity

Detection direction

  • Confirm whether detections cover both command-driven screenshot utilities and API-based capture behavior; command-only monitoring may miss tool-integrated or API-driven collection.
  • Tune for context: legitimate help desk, collaboration, QA, accessibility, and user-initiated screenshot workflows can create false positives.
  • Prioritize higher-risk contexts such as privileged users, administrator workstations, cloud administration sessions, finance/legal systems, and hosts involved in active incident investigations.
  • Correlate screenshot behavior with suspicious remote access, unusual parent processes, scripting activity, or execution outside normal user workflows.
  • Validate coverage separately across Windows, macOS, and Linux because the related technique spans those platforms and telemetry sources differ.

Mitigation priorities

  • Start with visibility: ensure endpoint process, command-line, file, and user/session telemetry is collected from systems where sensitive information is viewed.
  • Apply least privilege and access segmentation so compromised users or tools have less opportunity to view high-value information before capture occurs.
  • Use application control or policy restrictions where appropriate to limit unauthorized screenshot utilities, scripts, or unapproved remote access tooling.
  • Review operating system privacy and screen-recording controls where available, especially for managed macOS and endpoint fleets handling sensitive data.
  • Include screen capture behavior in incident response playbooks so responders know how to scope potential data exposure from visible desktop content.
Analyst notes and limits

This take is based on the detection strategy name, the MITRE external reference DET0346, and the relationship showing it detects T1113 Screen Capture. The related technique provides the collection context and examples of native utilities or API calls. The ATT&CK object itself does not include an official description, official detection text, tactics, or platforms, so practical implementation must be validated against local endpoint telemetry and business workflows.

No official detection logic, data sources, analytics, or platform list were supplied for DET0346. Platform references come only from the related T1113 technique. This summary does not assert active exploitation, actor attribution, customer exposure, or guaranteed detectability.

Official MITRE ATT&CK definition

Detect Screen Capture via Commands and API Calls

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1113 Screen Capture This object detects Screen Capture.
Relationship explorer

All related ATT&CK context

detects · Technique T1113: Screen Capture Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
00dbf09b625f3425...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 00dbf09b625f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0346
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use