IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
PowerShell Script with Webcam Video Capture Capabilities
editPowerShell Script with Webcam Video Capture Capabilities
editDetects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-windows.powershell*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Collection
- Data Source: PowerShell Logs
Version: 4
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editSetup
The PowerShell Script Block Logging logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
Rule query
editevent.category:process and host.os.type:windows and powershell.file.script_block_text : ( "NewFrameEventHandler" or "VideoCaptureDevice" or "DirectX.Capture.Filters" or "VideoCompressors" or "Start-WebcamRecorder" or ( ("capCreateCaptureWindowA" or "capCreateCaptureWindow" or "capGetDriverDescription") and ("avicap32.dll" or "avicap32") ) )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
-
Technique:
- Name: Video Capture
- ID: T1125
- Reference URL: https://attack.mitre.org/techniques/T1125/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Sub-technique:
- Name: PowerShell
- ID: T1059.001
- Reference URL: https://attack.mitre.org/techniques/T1059/001/