Preparation
Archive Data
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Impersonation
Increase Privileges
IT Ticketing System Exploration
Network Scanning
On-Screen Data Collection
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installation of Dark Web-Capable Browsers
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR028
- Created: 23rd June 2025
- Updated: 23rd June 2025
- Platforms: Windows, Linux, MacOS,
- Contributor: The ITM Team
On-Screen Data Collection
The subject captures or records visual data displayed on their screen, including screenshots and screen recordings to extract sensitive or proprietary information. These actions are typically performed prior to an exfiltration infringement and serve as a method of data collection.
It is often used in contexts where the subject either lacks download privileges, seeks to avoid triggering detection systems, or wishes to discreetly capture transient data (e.g., internal dashboards, chat transcripts, or system output not written to disk).
Subsections
| ID | Name | Description |
|---|---|---|
| PR028.002 | Capture via Screen Recording | The subject initiates a screen recording session to continuously capture visual activity on their workstation. Unlike isolated screenshots, screen recordings provide a persistent visual record that may include system navigation, data access patterns, command execution, or user interactions with sensitive tools and content.
Screen recordings are commonly used to circumvent restrictions on file downloads, printing, or copy-paste functionality. They allow subjects to preserve dynamic content, such as chat conversations and video meetings, that may not be available later or that are heavily monitored in other forms. The resulting files are often compressed and exported in standard formats (e.g., .mp4, .mov) and may be exfiltrated at a later time.
Subjects may use operating system–native tools (e.g., Xbox Game Bar on Windows, QuickTime on macOS) or third-party utilities (e.g., OBS Studio, Snagit, Loom) to conduct these recordings. Because many of these tools are not considered malicious, their use may not be flagged unless specifically configured for detection. |
| PR028.001 | Capture via Screenshot | The subject uses built-in or third-party tools to capture screenshots of sensitive data displayed on the screen. This may include financial records, source code, client information, internal chat transcripts, access credentials, or proprietary interfaces. Screenshot capture is often used as a low-friction means of data retention or transfer, especially in environments where traditional download or export functions are blocked, monitored, or leave visible artifacts. |
Detection
| ID | Name | Description |
|---|---|---|
| DT131 | Snipping Tool Cached Recordings | In Windows 11 the Snipping Tool utility, with default settings, saves screen recordings to the |
| DT129 | Snipping Tool Cached Screenshots | In Windows 11 the Snipping Tool utility, with default settings, saves screenshots to the |
| DT130 | Snipping Tool TempState\Snips | In Windows 11 the Snipping Tool utility, when the “Automatically save original screenshots” setting is manually toggled to disabled, will continue to save screenshots to the |