Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0668: Detection of Screen Capture

DET0668 is a mobile ATT&CK detection strategy for identifying behavior related to Screen Capture (T1513). The business issue is potential exposure of sensi...

MobileDET0668Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0668 is a mobile ATT&CK detection strategy for identifying behavior related to Screen Capture (T1513). The business issue is potential exposure of sensitive information displayed on Android devices, including user data, credentials, or application content. Because the detection strategy itself has no official description or detection logic, leaders should treat it as a prompt to validate whether mobile security monitoring can observe and investigate unauthorized or suspicious screen-capture activity, rather than as a ready-made detection.

Executive priority

Prioritize this where Android devices handle sensitive business data, regulated information, privileged access, or operational workflows. The key decision is whether the organization can produce evidence that screen-capture risk is controlled: policy, device/app controls, user-consent expectations, and incident response visibility. This matters for data protection, identity exposure, compliance readiness, and mobile incident triage, but local device management and telemetry determine actual coverage.

Technical view

The only supplied relationship is that DET0668 detects T1513 Screen Capture in the mobile-attack domain, with related platform Android. The related technique notes that background applications may capture screenshots or video of foreground applications using Android MediaProjectionManager, generally requiring user consent. SOC and mobile security teams should validate whether they can observe screen-capture permission grants, MediaProjection-related activity, suspicious background app behavior, and application context around sensitive foreground apps. Because MITRE provides no official detection text for DET0668, detection engineering should be based on local Android telemetry, MDM/UEM capabilities, app logs, and mobile threat defense signals where available.

Likely telemetry

  • Android permission and consent events related to screen capture or media projection where available
  • MDM/UEM or mobile threat defense alerts for suspicious screen recording or screenshot behavior
  • Application foreground/background state or app activity context, if collected
  • Installed application inventory and app reputation or trust context
  • Device event logs or security telemetry that can show screen recording, screenshot, or overlay-adjacent activity

Detection direction

  • Confirm whether existing mobile telemetry can identify MediaProjectionManager-related screen capture activity or only policy violations after the fact.
  • Tune investigations around sensitive app context, unusual background applications, newly installed apps, or screen-capture activity near authentication and data-access workflows.
  • Account for false positives from legitimate collaboration, accessibility, support, productivity, or user-authorized recording use cases.
  • Do not assume enterprise-wide coverage from this ATT&CK object; the detection strategy has no official detection procedure, and the object itself lists no platforms or tactics.
  • Use the T1513 relationship to scope validation to Android screen capture risk, while documenting any gaps for unmanaged or personally owned devices.

Mitigation priorities

  • Define policy for when screen capture is allowed on mobile devices that access sensitive business applications.
  • Use mobile device or application management controls to restrict or discourage screen capture for high-risk applications where supported.
  • Review application handling of sensitive screens, credentials, and regulated data to reduce exposure if screenshots or video capture occur.
  • Require mobile telemetry retention and incident response procedures sufficient to investigate suspicious screen-capture reports or alerts.
  • Educate users to recognize unexpected screen-capture consent prompts and report suspicious behavior.
Analyst notes and limits

This Glexia take is intentionally conservative because DET0668 has no official description, no official detection guidance, and no platforms listed on the detection-strategy object. The practical content is derived from the supplied relationship to T1513 Screen Capture and the related Android description, especially the reference to MediaProjectionManager and user consent.

Coverage, event names, and enforcement options depend on the organization’s Android versions, device ownership model, MDM/UEM configuration, mobile security tooling, and application design. The supplied ATT&CK data does not provide detection analytics, log sources, tactics, or evidence of active exploitation or attribution.

Official MITRE ATT&CK definition

Detection of Screen Capture

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1513 Screen Capture This object detects Screen Capture.
Relationship explorer

All related ATT&CK context

detects · Technique T1513: Screen Capture Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
dcc7ca608ccc750f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle dcc7ca608ccc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0668
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use