DET0751: Detection of Screen Capture
DET0751 is a MITRE ATT&CK for ICS detection strategy for identifying Screen Capture behavior. In an industrial environment, screen captures can expose HMI...
Analyst context for executives and security teams
DET0751 is a MITRE ATT&CK for ICS detection strategy for identifying Screen Capture behavior. In an industrial environment, screen captures can expose HMI views, alarms, process data, layout information, device status, or schematics that help an adversary understand operations. The business issue is not just data loss; it is loss of operational context that could support later disruption or unsafe decision-making.
Executive priority
Treat this as an ICS visibility and resilience question: can the organization tell when sensitive control-room or engineering workstation displays are being captured, by whom, and from where? Leaders should ask whether monitoring, access governance, and incident response plans cover systems that display process, alarm, and control information. Because the ATT&CK object provides no official detection text or platform scope, priority should be driven by local criticality of HMIs, workstations, and other devices that display environment-relevant industrial data.
Technical view
SOC and IR teams should validate monitoring around the related ATT&CK technique T0852: Screen Capture. Focus on systems that display ICS process, device, reporting, alarm, layout, control, or schematic information. Since MITRE does not specify platforms, tactics, or detection logic for this strategy, teams should map their own environment first, then confirm whether available endpoint, session, remote access, and application logs can show screenshot activity, suspicious capture tools, unusual access to display-rich systems, or capture attempts during remote sessions.
Likely telemetry
- Endpoint process execution and command-line telemetry where available
- Application and operating-system logs from HMIs, engineering workstations, operator workstations, and other display systems
- Remote access, interactive session, and jump-host logs for users accessing ICS displays
- File creation telemetry for image files or screen capture artifacts where collected
- User authentication and authorization logs tied to systems displaying process or alarm data
Detection direction
- Inventory systems that display sensitive ICS process, alarm, device, reporting, layout, control, or schematic information before writing detection logic.
- Validate whether telemetry can distinguish expected operator, engineering, training, or support activity from unusual capture behavior.
- Correlate screen capture indicators with interactive logons, remote access sessions, privileged accounts, and access to HMI or workstation assets.
- Tune carefully for false positives from legitimate documentation, troubleshooting, vendor support, and incident response activity.
- Document blind spots where endpoint monitoring is unavailable, unsupported, or inappropriate for operational technology systems.
Mitigation priorities
- Prioritize access control and least privilege for systems that expose process, alarm, control, or schematic information.
- Review and govern remote access paths into ICS display environments, including approval, logging, and session accountability.
- Establish policy for authorized screen capture, documentation, vendor support, and evidence handling in control-system areas.
- Where operationally safe, improve logging and monitoring on systems that display sensitive ICS information.
- Include suspected screen capture of ICS displays in incident response playbooks, with guidance for preserving session, authentication, and file evidence.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description, no official detection text, and no specified platforms or tactics. The only substantive context is its relationship to T0852 Screen Capture in the ICS domain and the related technique description about capturing workstations, HMIs, or other devices that display operationally relevant data.
This take does not assert active exploitation, attribution, affected products, or guaranteed detectability. Local architecture, logging capability, operational constraints, and authorized business processes determine what can be detected and how alerts should be tuned.
Detection of Screen Capture
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0852 | Screen Capture | This object detects Screen Capture. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 60814324579f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0751Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.