PowerShell Script with Webcam Video Capture Capabilities
Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/07/18"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/10/28"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or
13spy on victims.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.powershell*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "PowerShell Script with Webcam Video Capture Capabilities"
20references = [
21 "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py",
22]
23risk_score = 47
24rule_id = "eb44611f-62a8-4036-a5ef-587098be6c43"
25setup = """## Setup
26
27The 'PowerShell Script Block Logging' logging policy must be enabled.
28Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
1
2Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
1"""
2severity = "medium"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Tactic: Collection",
8 "Data Source: PowerShell Logs",
9]
10timestamp_override = "event.ingested"
11type = "query"
12
13query = '''
14event.category:process and host.os.type:windows and
15 powershell.file.script_block_text : (
16 "NewFrameEventHandler" or
17 "VideoCaptureDevice" or
18 "DirectX.Capture.Filters" or
19 "VideoCompressors" or
20 "Start-WebcamRecorder" or
21 (
22 ("capCreateCaptureWindowA" or
23 "capCreateCaptureWindow" or
24 "capGetDriverDescription") and
25 ("avicap32.dll" or "avicap32")
26 )
27 )
28'''
29
30
31[[rule.threat]]
32framework = "MITRE ATT&CK"
33[[rule.threat.technique]]
34id = "T1125"
35name = "Video Capture"
36reference = "https://attack.mitre.org/techniques/T1125/"
37
38
39[rule.threat.tactic]
40id = "TA0009"
41name = "Collection"
42reference = "https://attack.mitre.org/tactics/TA0009/"
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1059"
47name = "Command and Scripting Interpreter"
48reference = "https://attack.mitre.org/techniques/T1059/"
49[[rule.threat.technique.subtechnique]]
50id = "T1059.001"
51name = "PowerShell"
52reference = "https://attack.mitre.org/techniques/T1059/001/"
53
54
55
56[rule.threat.tactic]
57id = "TA0002"
58name = "Execution"
59reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Exchange Mailbox Export via PowerShell
- PowerShell Keylogging Script
- PowerShell Mailbox Collection Script
- PowerShell Share Enumeration Script
- PowerShell Suspicious Discovery Related Windows API Functions