Preparation

ID: PR028.001
Created: 23rd June 2025
Updated: 09th July 2025
Platforms: Windows, Linux, MacOS,
Contributor: The ITM Team

Capture via Screenshot

The subject uses built-in or third-party tools to capture screenshots of sensitive data displayed on the screen. This may include financial records, source code, client information, internal chat transcripts, access credentials, or proprietary interfaces. Screenshot capture is often used as a low-friction means of data retention or transfer, especially in environments where traditional download or export functions are blocked, monitored, or leave visible artifacts.

Prevention

ID	Name	Description
PV015	Application Whitelisting	By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.
PV061	Disable Snipping Tool, Group Policy	Group Policy can be used to prevent the Snipping Tool from running on a Windows system. `User Configuration > Administrative Templates > Windows Components > Tablet PC > Accessories` then enable “Do not allow Snipping Tool to run”.

Detection

ID	Name	Description
DT133	Snipping Tool Autosave Setting Modification	Settings data for Snipping Tool on Windows 11 is stored in a registry hive file located at `C:\Users\JBeam\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\Settings\Settings.dat`. Using a tool such as Registry Explorer, investigators can load this registry hive and review the contents. The value of two settings can help determine whether the subject has disabled automatic saving of screenshots (snips) or screen recordings: `AutoSaveCaptures` and `AutoSaveScreenRecordings`. A value beginning with `F0-FF-FF-FF-00` means this setting is disabled Automatic saving is off, use the fallback artifacts Snipping Tool TempState\Snips and Snipping Tool TempState\Recordings. A value beginning with `F0-FF-FF-FF-01` means this setting is enabled Automatic saving is on, which is the default behaviour, use the primary artifacts Snipping Tool Cached Screenshots and Snipping Tool Cached Recordings.
DT129	Snipping Tool Cached Screenshots	In Windows 11 the Snipping Tool utility, with default settings, saves screenshots to the `%USER%\Pictures\Screenshots` directory. The output directory can be changed in the Snipping Tool settings. These PNG files use the naming convention `Screenshot YYYY-MM-DD HHMMSS.png`, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via screenshots.
DT130	Snipping Tool TempState\Snips	In Windows 11 the Snipping Tool utility, when the “Automatically save original screenshots” setting is manually toggled to disabled, will continue to save screenshots to the `%USER%\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Snips` directory. This is a fallback artifact from DT129 Snipping Tool Cached Screenshots. These PNG files use the naming convention `Screenshot YYYY-MM-DD HHMMSS.png`, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via screenshots.

Insider Threat Matrix™

Preparation

Archive Data

Boot Order Manipulation

CCTV Enumeration

Circumventing Security Controls

Data Obfuscation

Data Staging

Device Mounting

Email Collection

External Media Formatting

File Download

File Exploration

Impersonation

Increase Privileges

IT Ticketing System Exploration

Network Scanning

On-Screen Data Collection

Physical Disk Removal

Physical Exploration

Physical Item Smuggling

Private / Incognito Browsing

Read Windows Registry

Remote Desktop (RDP)

Security Software Enumeration

Social Engineering (Outbound)

Software Installation

Software or Access Request

Suspicious Web Browsing

Testing Ability to Print

Capture via Screenshot

Prevention

Detection