ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR028.001
  • Created: 23rd June 2025
  • Updated: 23rd June 2025
  • Platforms: Windows, Linux, MacOS,
  • Contributor: The ITM Team

Capture via Screenshot

The subject uses built-in or third-party tools to capture screenshots of sensitive data displayed on the screen. This may include financial records, source code, client information, internal chat transcripts, access credentials, or proprietary interfaces. Screenshot capture is often used as a low-friction means of data retention or transfer, especially in environments where traditional download or export functions are blocked, monitored, or leave visible artifacts.

Detection

ID Name Description
DT129Snipping Tool Cached Screenshots

In Windows 11 the Snipping Tool utility, with default settings, saves screenshots to the %USER%\Pictures\Screenshots directory. The output directory can be changed in the Snipping Tool settings. These PNG files use the naming convention Screenshot YYYY-MM-DD HHMMSS.png, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via screenshots.

DT130Snipping Tool TempState\Snips

In Windows 11 the Snipping Tool utility, when the “Automatically save original screenshots” setting is manually toggled to disabled, will continue to save screenshots to the %LOCALAPPDATA%\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Snips directory. This is a fallback artifact from DT129 Snipping Tool Cached Screenshots. These PNG files use the naming convention Screenshot YYYY-MM-DD HHMMSS.png, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via screenshots.