PowerShell Script with Webcam Video Capture Capabilities

Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/07/18"
 3integration = ["windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/01/11"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or
13spy on victims.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "PowerShell Script with Webcam Video Capture Capabilities"
20references = ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"]
21risk_score = 47
22rule_id = "eb44611f-62a8-4036-a5ef-587098be6c43"
23setup = """
24The 'PowerShell Script Block Logging' logging policy must be enabled.
25Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)

1
2Steps to implement the logging policy via registry:

reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1

 1"""
 2severity = "medium"
 3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs"]
 4timestamp_override = "event.ingested"
 5type = "query"
 6
 7query = '''
 8event.category:process and host.os.type:windows and
 9  powershell.file.script_block_text : (
10    "NewFrameEventHandler" or
11    "VideoCaptureDevice" or
12    "DirectX.Capture.Filters" or
13    "VideoCompressors" or
14    "Start-WebcamRecorder" or
15    (
16      ("capCreateCaptureWindowA" or
17       "capCreateCaptureWindow" or
18       "capGetDriverDescription") and
19      ("avicap32.dll" or "avicap32")
20    )
21  )
22'''
23
24
25[[rule.threat]]
26framework = "MITRE ATT&CK"
27[[rule.threat.technique]]
28id = "T1125"
29name = "Video Capture"
30reference = "https://attack.mitre.org/techniques/T1125/"
31
32
33[rule.threat.tactic]
34id = "TA0009"
35name = "Collection"
36reference = "https://attack.mitre.org/tactics/TA0009/"
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1059"
41name = "Command and Scripting Interpreter"
42reference = "https://attack.mitre.org/techniques/T1059/"
43[[rule.threat.technique.subtechnique]]
44id = "T1059.001"
45name = "PowerShell"
46reference = "https://attack.mitre.org/techniques/T1059/001/"
47
48
49
50[rule.threat.tactic]
51id = "TA0002"
52name = "Execution"
53reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top