Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
Windows Problem Steps Recorder (psr.exe), can record screen and clicks. Adversaries may abuse psr.exe to create screen captures and collect them afterward.
Attacker's Goals
Evading security controls and collecting screen captures of the desktop.
Investigative actions
- Check the causality of execution and if the TSS script was executed (Microsoft Troubleshooting Script).
- If output parameters in the command line are executed by the user.
- If the parent process is known in the organization as a support tool.