Detections

In Windows 11 the Snipping Tool utility, with default settings, saves screen recordings to the %USER%\Videos\Screen Recordings directory. The output directory can be changed in the Snipping Tool settings. These MP4 files use the naming convention Screen Recording YYYY-MM-DD HHMMSS.mp4, helping to identify when they were captured, alongside the Created and Modified timestamps. This artifact can potentially provide an insight into activities conducted by the subject, such as data exfiltration via media capture.

Sections

ID	Name	Description
ME011	Screenshots	A subject can take screenshots on a device.
PR028	On-Screen Data Collection	The subject captures or records visual data displayed on their screen, including screenshots and screen recordings to extract sensitive or proprietary information. These actions are typically performed prior to an exfiltration infringement and serve as a method of data collection. It is often used in contexts where the subject either lacks download privileges, seeks to avoid triggering detection systems, or wishes to discreetly capture transient data (e.g., internal dashboards, chat transcripts, or system output not written to disk).
IF024	Exfiltration via Screen Sharing	The subject transmits live on-screen content to an unauthorized third party using screen sharing, livestreaming, or remote presentation tools. This method of exfiltration enables real-time viewing of sensitive data, systems, or processes without leaving traditional file transfer artifacts. It is often used to bypass content filtering, download restrictions, or endpoint data loss prevention controls. Exfiltration via screen sharing may be conducted using legitimate collaboration platforms (e.g., Zoom, Microsoft Teams, Google Meet) or dedicated remote control tools (e.g., TeamViewer, AnyDesk, Parsec), particularly when configured for unattended sessions. Some subjects use streaming platforms (e.g., YouTube Live, Twitch) in unlisted or private modes to transmit content discreetly to an external audience. This technique allows the subject to expose proprietary information—such as internal dashboards, code repositories, chat transcripts, or system configurations—without moving files or altering access logs. It is particularly effective in highly restricted environments where data cannot be copied, downloaded, or printed. Depending on the tool and configuration used, these sessions may be difficult to detect in real-time, especially if screen sharing is permitted within the organization’s broader productivity context.
PR028.002	Capture via Screen Recording	The subject initiates a screen recording session to continuously capture visual activity on their workstation. Unlike isolated screenshots, screen recordings provide a persistent visual record that may include system navigation, data access patterns, command execution, or user interactions with sensitive tools and content. Screen recordings are commonly used to circumvent restrictions on file downloads, printing, or copy-paste functionality. They allow subjects to preserve dynamic content, such as chat conversations and video meetings, that may not be available later or that are heavily monitored in other forms. The resulting files are often compressed and exported in standard formats (e.g., .mp4, .mov) and may be exfiltrated at a later time. Subjects may use operating system–native tools (e.g., Xbox Game Bar on Windows, QuickTime on macOS) or third-party utilities (e.g., OBS Studio, Snagit, Loom) to conduct these recordings. Because many of these tools are not considered malicious, their use may not be flagged unless specifically configured for detection.