2024-10-15 // Dylan Evans
High Volume Screenshot Activity Detection
Defender XDRDetects unusual screenshot activity on a device, potentially indicating malicious behavior or excessive legitimate use.
High Volume Screenshot Activity Detection
Overview
This detection identifies devices with an unusually high number of screenshot-related activities, which could indicate malicious screen capture techniques or excessive legitimate use. The query aggregates screenshot events across a 24-hour window and flags devices exceeding a configurable threshold.
Query
let TimeWindow = 24h; // Adjust lookback time
let ScreenshotThreshold = 7; // Adjust based on environment
DeviceEvents
| where Timestamp >= ago(TimeWindow)
| where ActionType in ("ScreenshotTaken", "FileCreated")
// Look for screenshot-related API calls and file creations
| where (ActionType == "ScreenshotTaken") or (ActionType == "FileCreated" and (FileName endswith ".png" or FileName endswith ".jpg" or FileName endswith ".jpeg" or FileName endswith ".bmp" or FileName endswith ".gif" or FileName endswith ".tiff")) or (ProcessCommandLine contains "BitBlt" or ProcessCommandLine contains "GetDC" or ProcessCommandLine contains "CreateCompatibleDC" or ProcessCommandLine contains "GetWindowDC" or ProcessCommandLine contains "PrintWindow" or ProcessCommandLine contains "ScreenCapture" or ProcessCommandLine contains "CopyFromScreen" or ProcessCommandLine contains "Graphics.CopyFromScreen")
| extend Processes = tolower(tostring(split(InitiatingProcessFileName, "\\")[-1]))
// Aggregate by screenshots per device
| summarize TotalScreenshots = count(), Processes = make_set(Processes), NoOfUniqueProcesses = dcount(Processes), CommandLines = make_set(InitiatingProcessCommandLine, 10), FirstActivity = min(Timestamp), LastActivity = max(Timestamp) by DeviceId, DeviceName
// Apply threshold based on total screenshots per device
| where TotalScreenshots >= ScreenshotThreshold
// Calculate activity duration
| extend ScreenshotsPerHour = todouble(TotalScreenshots) / todouble(datetime_diff('hour', LastActivity, FirstActivity) + 1)
// Output focused on device-level screenshot analysis
| project DeviceName, DeviceId, TotalScreenshots, ScreenshotsPerHour, NoOfUniqueProcesses, Processes, CommandLines, FirstActivity, LastActivity
| order by TotalScreenshots desc
Logic Explanation
The query filters DeviceEvents for actions related to screenshots (ScreenshotTaken) or file creations with image extensions (.png, .jpg, etc.). It also checks for suspicious process command lines containing common screen capture API calls. The data is aggregated by DeviceId and DeviceName, counting total screenshot events per device. If a device exceeds the threshold (ScreenshotThreshold), it calculates hourly screenshot density and projects key metrics like unique processes, command lines, and timestamps.
Tuning Notes
Legitimate use cases: Some users may take multiple screenshots daily (e.g., documentation, tutorials). Adjust
ScreenshotThresholdbased on expected baseline activity.- Suggestion: Start with a conservative threshold (e.g., 5) for initial testing in non-production environments.
False positives from known processes: Certain legitimate apps (e.g., screen recording tools) may trigger command-line matches. Exclude common benign processes via
Processesfiltering if needed.- Suggestion: Add a whitelist of expected processes to refine results.
References
- Microsoft Docs: Screenshot API Functions (for
GetDC,PrintWindow). - Common malicious screen capture techniques documented in MITRE ATT&CK under Persistence and Data Destruction.