detections
- ID: DT129
- Created: 23rd June 2025
- Updated: 28th June 2025
- Platform: Windows
- Contributor: The ITM Team
Snipping Tool Cached Screenshots
In Windows 11 the Snipping Tool utility, with default settings, saves screenshots to the %USER%\Pictures\Screenshots directory. The output directory can be changed in the Snipping Tool settings. These PNG files use the naming convention Screenshot YYYY-MM-DD HHMMSS.png, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via screenshots.
Sections
| ID | Name | Description |
|---|---|---|
| ME011 | Screenshots and Screen Recording | A subject can take screenshots or record their screen on a device. |
| PR028 | On-Screen Data Collection | The subject captures or records visual data displayed on their screen, including screenshots and screen recordings to extract sensitive or proprietary information. These actions are typically performed prior to an exfiltration infringement and serve as a method of data collection.
It is often used in contexts where the subject either lacks download privileges, seeks to avoid triggering detection systems, or wishes to discreetly capture transient data (e.g., internal dashboards, chat transcripts, or system output not written to disk). |
| AF035 | Native Application Misuse | Native application misuse occurs when a subject uses applications, services, binaries, scripts, or administrative utilities already present on a corporate endpoint or server to support, conceal, or facilitate an infringement without introducing new software. This may include exploring built-in operating system/command line tools, approved productivity applications, scripting environments, messaging clients, compression utilities, remote access components, cloud storage integrations, or endpoint management features to identify capabilities that can be repurposed for unauthorized outcomes.
The anti-forensics significance of this behavior is that the subject’s activity may appear consistent with legitimate operational use. Unlike the installation of unauthorized tools or overt malware, native application misuse relies on capabilities that are already trusted, allowed, or commonly present in the environment. This can make it difficult for investigators to distinguish legitimate activity from illegitimate activity without strong context, baseline comparison, command-line visibility, file access history, and correlation with the subject’s role, timing, intent, and surrounding investigative indicators.
A subject may deliberately elect to use a more complicated or convoluted method to achieve an illegitimate outcome when that method relies on native applications or approved services. In these cases, the subject may avoid introducing external software even where doing so would make the task faster, simpler, or more technically effective. The investigative significance is that the inefficient method may itself be purposeful: by operating through trusted tools already present on the endpoint, the subject reduces the number of distinct control violations, avoids software-installation indicators, and makes the activity harder to separate from legitimate business use.
This behavior may contribute to or facilitate an infringement by allowing a subject to stage, compress, transfer, hide, rename, encode, delete, alter, or access data using tools that do not independently appear suspicious. It may also support behavioral drift where repeated minor misuse of approved tools becomes normalized within a team or population, reducing the organization’s ability to identify meaningful deviations from acceptable use.
Investigative RelevanceNative application misuse should be assessed in relation to the subject’s role, normal working patterns, endpoint baseline, approved business processes, and the sensitivity of the data involved. Investigators should avoid treating native tool execution as inherently suspicious. The investigative concern arises when the subject uses ordinary capabilities in unusual combinations, at unusual times, against unusual data, or in ways that produce outcomes inconsistent with their duties.
Investigators should consider whether the subject’s chosen method appears unnecessarily complex when compared with easier external tooling options. Where a subject uses native applications in a slower, more manual, or more indirect manner, that choice may indicate an intent to preserve plausible legitimacy, avoid detection associated with unauthorized software, or obscure the behavioral sequence required to prove intent.
Relevant case logic may include:
Example Behaviors
|
| PR028.001 | Capture via Screenshot | The subject uses built-in or third-party tools to capture screenshots of sensitive data displayed on the screen. This may include financial records, source code, client information, internal chat transcripts, access credentials, or proprietary interfaces. Screenshot capture is often used as a low-friction means of data retention or transfer, especially in environments where traditional download or export functions are blocked, monitored, or leave visible artifacts. |