PowerShell Script with Webcam Video Capture Capabilities
Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/07/18"
3integration = ["windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/08"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or
13spy on victims.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.powershell*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "PowerShell Script with Webcam Video Capture Capabilities"
20references = ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"]
21risk_score = 47
22rule_id = "eb44611f-62a8-4036-a5ef-587098be6c43"
23setup = """## Setup
24
25The 'PowerShell Script Block Logging' logging policy must be enabled.
26Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
1
2Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
1"""
2severity = "medium"
3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs"]
4timestamp_override = "event.ingested"
5type = "query"
6
7query = '''
8event.category:process and host.os.type:windows and
9 powershell.file.script_block_text : (
10 "NewFrameEventHandler" or
11 "VideoCaptureDevice" or
12 "DirectX.Capture.Filters" or
13 "VideoCompressors" or
14 "Start-WebcamRecorder" or
15 (
16 ("capCreateCaptureWindowA" or
17 "capCreateCaptureWindow" or
18 "capGetDriverDescription") and
19 ("avicap32.dll" or "avicap32")
20 )
21 )
22'''
23
24
25[[rule.threat]]
26framework = "MITRE ATT&CK"
27[[rule.threat.technique]]
28id = "T1125"
29name = "Video Capture"
30reference = "https://attack.mitre.org/techniques/T1125/"
31
32
33[rule.threat.tactic]
34id = "TA0009"
35name = "Collection"
36reference = "https://attack.mitre.org/tactics/TA0009/"
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1059"
41name = "Command and Scripting Interpreter"
42reference = "https://attack.mitre.org/techniques/T1059/"
43[[rule.threat.technique.subtechnique]]
44id = "T1059.001"
45name = "PowerShell"
46reference = "https://attack.mitre.org/techniques/T1059/001/"
47
48
49
50[rule.threat.tactic]
51id = "TA0002"
52name = "Execution"
53reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- PowerShell Keylogging Script
- PowerShell Mailbox Collection Script
- PowerShell Share Enumeration Script
- PowerShell Suspicious Script with Audio Capture Capabilities
- PowerShell Suspicious Script with Screenshot Capabilities