Screenshots

This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.

In Windows 11 the Snipping Tool utility, with default settings, saves screen recordings to the %USER%\Videos\Screen Recordings directory. The output directory can be changed in the Snipping Tool settings. These MP4 files use the naming convention Screen Recording YYYY-MM-DD HHMMSS.mp4, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via media capture.

In Windows 11 the Snipping Tool utility, with default settings, saves screenshots to the %USER%\Pictures\Screenshots directory. The output directory can be changed in the Snipping Tool settings. These PNG files use the naming convention Screenshot YYYY-MM-DD HHMMSS.png, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via screenshots.

In Windows 11 the Snipping Tool utility, when the “Automatically save original screenshots” setting is manually toggled to disabled, will continue to save screenshots to the %LOCALAPPDATA%\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Snips directory. This is a fallback artifact from DT129 Snipping Tool Cached Screenshots. These PNG files use the naming convention Screenshot YYYY-MM-DD HHMMSS.png, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via screenshots.