rule:
meta:
name: capture screenshot in Go
namespace: collection/screenshot
authors:
- joakim@intezer.com
description: Detects screenshot capability via WinAPI for Go files.
scopes:
static: file
dynamic: file
att&ck:
- Collection::Screen Capture [T1113]
mbc:
- Collection::Screen Capture::WinAPI [E1113.m01]
features:
- and:
- match: compiled with Go
- and:
- string: "syscall.NewLazyDLL"
description: Dynamic loading of DLLs
- or:
- and:
- substring: "user32.dll"
- or:
- substring: "GetWindowDC"
- substring: "GetDC"
- and:
- substring: "gdi32.dll"
- or:
- substring: "BitBlt"
- substring: "GetDIBits"
- substring: "CreateCompatibleDC"
last edited: 2023-11-24 10:34:28