ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: ME011
  • Created: 25th May 2024
  • Updated: 23rd June 2025
  • Platforms: Windows, Linux, MacOS,
  • Contributor: The ITM Team

Screenshots

A subject can take screenshots on a device.

Prevention

ID Name Description
PV001No Ready System-Level Mitigation

This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.

Detection

ID Name Description
DT131Snipping Tool Cached Recordings

In Windows 11 the Snipping Tool utility, with default settings, saves screen recordings to the %USER%\Videos\Screen Recordings directory. The output directory can be changed in the Snipping Tool settings. These MP4 files use the naming convention Screen Recording YYYY-MM-DD HHMMSS.mp4, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via media capture.

DT129Snipping Tool Cached Screenshots

In Windows 11 the Snipping Tool utility, with default settings, saves screenshots to the %USER%\Pictures\Screenshots directory. The output directory can be changed in the Snipping Tool settings. These PNG files use the naming convention Screenshot YYYY-MM-DD HHMMSS.png, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via screenshots.

DT130Snipping Tool TempState\Snips

In Windows 11 the Snipping Tool utility, when the “Automatically save original screenshots” setting is manually toggled to disabled, will continue to save screenshots to the %LOCALAPPDATA%\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Snips directory. This is a fallback artifact from DT129 Snipping Tool Cached Screenshots. These PNG files use the naming convention Screenshot YYYY-MM-DD HHMMSS.png, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via screenshots.