IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
PowerShell Script with Webcam Video Capture Capabilities
editPowerShell Script with Webcam Video Capture Capabilities
editDetects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-windows.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Collection
- Data Source: PowerShell Logs
- Rule Type: BBR
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.category:process and host.os.type:windows and powershell.file.script_block_text : ( "NewFrameEventHandler" or "VideoCaptureDevice" or "DirectX.Capture.Filters" or "VideoCompressors" or "Start-WebcamRecorder" or ( ("capCreateCaptureWindowA" or "capCreateCaptureWindow" or "capGetDriverDescription") and ("avicap32.dll" or "avicap32") ) )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
-
Technique:
- Name: Video Capture
- ID: T1125
- Reference URL: https://attack.mitre.org/techniques/T1125/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Sub-technique:
- Name: PowerShell
- ID: T1059.001
- Reference URL: https://attack.mitre.org/techniques/T1059/001/