PowerShell Script with Webcam Video Capture Capabilities
Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/07/18"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or
11spy on victims.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-windows.powershell*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "PowerShell Script with Webcam Video Capture Capabilities"
18references = [
19 "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py",
20]
21risk_score = 47
22rule_id = "eb44611f-62a8-4036-a5ef-587098be6c43"
23setup = """## Setup
24
25The 'PowerShell Script Block Logging' logging policy must be enabled.
26Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
1
2Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
1"""
2severity = "medium"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Tactic: Collection",
8 "Data Source: PowerShell Logs",
9]
10timestamp_override = "event.ingested"
11type = "query"
12
13query = '''
14event.category:process and host.os.type:windows and
15 powershell.file.script_block_text : (
16 "NewFrameEventHandler" or
17 "VideoCaptureDevice" or
18 "DirectX.Capture.Filters" or
19 "VideoCompressors" or
20 "Start-WebcamRecorder" or
21 (
22 ("capCreateCaptureWindowA" or
23 "capCreateCaptureWindow" or
24 "capGetDriverDescription") and
25 ("avicap32.dll" or "avicap32")
26 )
27 )
28'''
29
30
31[[rule.threat]]
32framework = "MITRE ATT&CK"
33[[rule.threat.technique]]
34id = "T1125"
35name = "Video Capture"
36reference = "https://attack.mitre.org/techniques/T1125/"
37
38
39[rule.threat.tactic]
40id = "TA0009"
41name = "Collection"
42reference = "https://attack.mitre.org/tactics/TA0009/"
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1059"
47name = "Command and Scripting Interpreter"
48reference = "https://attack.mitre.org/techniques/T1059/"
49[[rule.threat.technique.subtechnique]]
50id = "T1059.001"
51name = "PowerShell"
52reference = "https://attack.mitre.org/techniques/T1059/001/"
53
54
55
56[rule.threat.tactic]
57id = "TA0002"
58name = "Execution"
59reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- PowerShell Mailbox Collection Script
- PowerShell Share Enumeration Script
- PowerShell Suspicious Script with Audio Capture Capabilities
- PowerShell Suspicious Script with Screenshot Capabilities
- Exchange Mailbox Export via PowerShell