ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR028.002
  • Created: 23rd June 2025
  • Updated: 09th July 2025
  • Platforms: Windows, Linux, MacOS,
  • Contributor: The ITM Team

Capture via Screen Recording

The subject initiates a screen recording session to continuously capture visual activity on their workstation. Unlike isolated screenshots, screen recordings provide a persistent visual record that may include system navigation, data access patterns, command execution, or user interactions with sensitive tools and content.

 

Screen recordings are commonly used to circumvent restrictions on file downloads, printing, or copy-paste functionality. They allow subjects to preserve dynamic content, such as chat conversations and video meetings, that may not be available later or that are heavily monitored in other forms. The resulting files are often compressed and exported in standard formats (e.g., .mp4, .mov) and may be exfiltrated at a later time.

 

Subjects may use operating system–native tools (e.g., Xbox Game Bar on Windows, QuickTime on macOS) or third-party utilities (e.g., OBS Studio, Snagit, Loom) to conduct these recordings. Because many of these tools are not considered malicious, their use may not be flagged unless specifically configured for detection.

Prevention

ID Name Description
PV015Application Whitelisting

By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.

PV061Disable Snipping Tool, Group Policy

Group Policy can be used to prevent the Snipping Tool from running on a Windows system.

 

User Configuration > Administrative Templates > Windows Components > Tablet PC > Accessories then enable “Do not allow Snipping Tool to run”.

Detection

ID Name Description
DT133Snipping Tool Autosave Setting Modification

Settings data for Snipping Tool on Windows 11 is stored in a registry hive file located at C:\Users\JBeam\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\Settings\Settings.dat. Using a tool such as Registry Explorer, investigators can load this registry hive and review the contents. The value of two settings can help determine whether the subject has disabled automatic saving of screenshots (snips) or screen recordings: AutoSaveCaptures and AutoSaveScreenRecordings.

 

A value beginning with F0-FF-FF-FF-00 means this setting is disabled

A value beginning with F0-FF-FF-FF-01 means this setting is enabled

DT131Snipping Tool Cached Recordings

In Windows 11 the Snipping Tool utility, with default settings, saves screen recordings to the %USER%\Videos\Screen Recordings directory. The output directory can be changed in the Snipping Tool settings. These MP4 files use the naming convention Screen Recording YYYY-MM-DD HHMMSS.mp4, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via media capture.

DT132Snipping Tool TempState\Recordings

In Windows 11 the Snipping Tool utility, when the “Automatically save original screen recordings” setting is manually toggled to disabled, will continue to save recordings to the %USER%\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState\Recordings directory. This is a fallback artifact from DT131 Snipping Tool Cached Recordings. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via screen recordings.