IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« PowerShell Suspicious Script with Screenshot Capabilities Encrypting Files with WinRar or 7z »

› ›

PowerShell Script with Webcam Video Capture Capabilities

edit

PowerShell Script with Webcam Video Capture Capabilities

edit

Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.

Rule type: query

Rule indices:

winlogbeat-*
logs-windows.powershell*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Data Source: PowerShell Logs

Version: 4

Rule authors:

Elastic

Rule license: Elastic License v2

Setup

edit

Setup

The PowerShell Script Block Logging logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)

Steps to implement the logging policy via registry:

reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1

Rule query

edit

event.category:process and host.os.type:windows and
  powershell.file.script_block_text : (
    "NewFrameEventHandler" or
    "VideoCaptureDevice" or
    "DirectX.Capture.Filters" or
    "VideoCompressors" or
    "Start-WebcamRecorder" or
    (
      ("capCreateCaptureWindowA" or
       "capCreateCaptureWindow" or
       "capGetDriverDescription") and
      ("avicap32.dll" or "avicap32")
    )
  )

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
Technique:
- Name: Video Capture
- ID: T1125
- Reference URL: https://attack.mitre.org/techniques/T1125/
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
Sub-technique:
- Name: PowerShell
- ID: T1059.001
- Reference URL: https://attack.mitre.org/techniques/T1059/001/

« PowerShell Suspicious Script with Screenshot Capabilities Encrypting Files with WinRar or 7z »