T1125

Video Capture

Adversaries may leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may interact with webcam devices through OS or application APIs such as the Windows Video Capture API (avicap32.dll), DirectShow, Windows Media Foundation, or platform-specific libraries on macOS and Linux. Captured video or image files may be written to disk and exfiltrated later. Threat actors including Transparent Tribe (Crimson RAT), Silence Group, and tools such as Empire, NanoCore, Agent Tesla, and PoetRAT have demonstrated active use of this technique.

Microsoft Sentinel / Defender

kusto

let KnownMediaApps = dynamic([
  "Teams.exe", "zoom.exe", "Skype.exe", "slack.exe", "webex.exe",
  "chrome.exe", "msedge.exe", "firefox.exe", "obs64.exe", "obs32.exe",
  "CameraApp.exe", "VideoCapture.exe", "vlc.exe", "ffmpeg.exe",
  "WindowsCamera.exe", "SnippingTool.exe", "mspaint.exe"
]);
let SuspiciousVideoPaths = dynamic([
  "\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\",
  "\\ProgramData\\", "\\Users\\Public\\",
  "\\Windows\\Temp\\", "\\Temp\\"
]);
let VideoExtensions = dynamic([".avi", ".mp4", ".wmv", ".mkv", ".mov", ".flv", ".m4v"]);
// Branch 1: Suspicious DLL image load of avicap32.dll by non-media processes
let AvicapLoads = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName =~ "avicap32.dll" or FileName =~ "vfw32.dll"
| where not(InitiatingProcessFileName has_any (KnownMediaApps))
| project Timestamp, DeviceName, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, FileName,
         DetectionSource = "AvicapDLLLoad";
// Branch 2: Video file creation in suspicious paths by non-media processes
let VideoFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName has_any (VideoExtensions)
| where FolderPath has_any (SuspiciousVideoPaths)
| where not(InitiatingProcessFileName has_any (KnownMediaApps))
| project Timestamp, DeviceName, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName,
         FileName = strcat(FolderPath, "\\", FileName),
         DetectionSource = "SuspiciousVideoFileCreation";
// Branch 3: Process accessing camera device objects (via registry device enumeration)
let CameraRegistryAccess = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any ("KSCATEGORY_VIDEO_CAMERA", "KSCATEGORY_CAPTURE",
                               "USB\\VID_", "Image\\Windows\\CurrentVersion\\Uninstall")
| where RegistryKey has "Camera" or RegistryKey has "Webcam" or RegistryKey has "VideoCapture"
| where not(InitiatingProcessFileName has_any (KnownMediaApps))
| where not(InitiatingProcessFileName has_any ("svchost.exe", "System", "WmiPrvSE.exe", "DeviceEnumerator.exe"))
| project Timestamp, DeviceName, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName,
         FileName = RegistryKey,
         DetectionSource = "CameraRegistryAccess";
union AvicapLoads, VideoFileCreation, CameraRegistryAccess
| sort by Timestamp desc

high severity medium confidence

Data Sources

Driver: Driver Load Process: Process Creation File: File Creation Windows Registry: Windows Registry Key Access Microsoft Defender for Endpoint

Required Tables

DeviceImageLoadEvents DeviceFileEvents DeviceRegistryEvents

False Positives

Legitimate video conferencing applications (Zoom, Teams, Webex, Skype) that may not be in the exclusion list if installed to non-default paths
Screen recording and productivity tools (OBS Studio, Camtasia, Loom, ShareX) used by developers or content creators
IT asset management or device inventory tools that enumerate camera hardware through registry keys
Security camera management software or driver update utilities that interact with webcam device APIs
Development/testing environments where developers are building applications that interact with webcam APIs

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
(
  (EventCode=7 ImageLoaded IN ("*\\avicap32.dll", "*\\vfw32.dll", "*\\mfreadwrite.dll")
   NOT (Image IN ("*\\Teams.exe", "*\\zoom.exe", "*\\Skype.exe", "*\\slack.exe",
                   "*\\chrome.exe", "*\\msedge.exe", "*\\firefox.exe",
                   "*\\obs64.exe", "*\\obs32.exe", "*\\vlc.exe", "*\\ffmpeg.exe",
                   "*\\WindowsCamera.exe", "*\\webex.exe")))
  OR
  (EventCode=11 TargetFilename IN ("*.avi", "*.mp4", "*.wmv", "*.mkv", "*.mov", "*.m4v")
   (TargetFilename="*\\AppData\\Local\\Temp\\*" OR TargetFilename="*\\AppData\\Roaming\\*"
    OR TargetFilename="*\\ProgramData\\*" OR TargetFilename="*\\Users\\Public\\*"
    OR TargetFilename="*\\Windows\\Temp\\*")
   NOT (Image IN ("*\\Teams.exe", "*\\zoom.exe", "*\\Skype.exe", "*\\slack.exe",
                   "*\\chrome.exe", "*\\msedge.exe", "*\\firefox.exe",
                   "*\\obs64.exe", "*\\obs32.exe", "*\\vlc.exe", "*\\ffmpeg.exe",
                   "*\\WindowsCamera.exe", "*\\webex.exe")))
)
| eval DetectionType=case(
    EventCode=7, "CameraAPILoad",
    EventCode=11, "VideoFileCreation",
    true(), "Unknown"
  )
| eval SuspiciousIndicator=case(
    EventCode=7 AND match(ImageLoaded, "avicap32"), "LegacyCaptureAPI",
    EventCode=7 AND match(ImageLoaded, "vfw32"), "VideoForWindowsAPI",
    EventCode=7 AND match(ImageLoaded, "mfreadwrite"), "MediaFoundationWrite",
    EventCode=11, "VideoFileInSuspiciousPath",
    true(), "Unknown"
  )
| eval FilePath=coalesce(TargetFilename, ImageLoaded)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        FilePath, DetectionType, SuspiciousIndicator
| sort - _time

high severity medium confidence

Data Sources

Driver: Driver Load File: File Creation Sysmon Event ID 7 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate video conferencing applications installed to non-default paths that are not covered by the exclusion list
Screen recording tools (Camtasia, Loom, ShareX, Bandicam) writing video output to AppData directories
Media SDK testing or development tools that exercise webcam APIs
Virtualization software (VMware, VirtualBox) that maps host webcam devices through media APIs
Driver installation utilities that load camera-related DLLs during device setup

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [library where host.os.type == "windows" and
   dll.name in~ ("avicap32.dll", "vfw32.dll", "mfreadwrite.dll") and
   not process.name in~ ("Teams.exe", "zoom.exe", "Skype.exe", "slack.exe", "webex.exe",
                          "chrome.exe", "msedge.exe", "firefox.exe", "obs64.exe", "obs32.exe",
                          "vlc.exe", "ffmpeg.exe", "WindowsCamera.exe", "CameraApp.exe")]

any where host.os.type == "windows" and
  (
    /* Branch 1: Camera DLL load by suspicious process */
    (event.category == "library" and
     dll.name in~ ("avicap32.dll", "vfw32.dll", "mfreadwrite.dll") and
     not process.name in~ ("Teams.exe", "zoom.exe", "Skype.exe", "slack.exe", "webex.exe",
                            "chrome.exe", "msedge.exe", "firefox.exe", "obs64.exe", "obs32.exe",
                            "vlc.exe", "ffmpeg.exe", "WindowsCamera.exe", "CameraApp.exe",
                            "VideoCapture.exe", "SnippingTool.exe"))
    OR
    /* Branch 2: Video file creation in suspicious paths */
    (event.category == "file" and event.type == "creation" and
     file.extension in~ ("avi", "mp4", "wmv", "mkv", "mov", "flv", "m4v") and
     (
       file.path like~ "*\\AppData\\Local\\Temp\\*" or
       file.path like~ "*\\AppData\\Roaming\\*" or
       file.path like~ "*\\ProgramData\\*" or
       file.path like~ "*\\Users\\Public\\*" or
       file.path like~ "*\\Windows\\Temp\\*"
     ) and
     not process.name in~ ("Teams.exe", "zoom.exe", "Skype.exe", "slack.exe", "webex.exe",
                            "chrome.exe", "msedge.exe", "firefox.exe", "obs64.exe", "obs32.exe",
                            "vlc.exe", "ffmpeg.exe", "WindowsCamera.exe"))
    OR
    /* Branch 3: Camera registry enumeration by suspicious process */
    (event.category == "registry" and
     (
       registry.path like~ "*KSCATEGORY_VIDEO_CAMERA*" or
       registry.path like~ "*KSCATEGORY_CAPTURE*" or
       registry.path like~ "*Camera*" or
       registry.path like~ "*Webcam*" or
       registry.path like~ "*VideoCapture*"
     ) and
     not process.name in~ ("Teams.exe", "zoom.exe", "Skype.exe", "svchost.exe",
                            "WmiPrvSE.exe", "DeviceEnumerator.exe", "System"))
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent with Windows integration Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.library-* logs-endpoint.events.file-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Legitimate screen recording or video editing software such as Camtasia, Bandicam, or OBS loading avicap32.dll during normal operation — tune by adding known applications to the exclusion list
Enterprise video conferencing tools installed in non-standard paths or with unusual parent processes (e.g., auto-updaters) may trigger the DLL load branch
Security software or endpoint agents performing device inventory scans may enumerate camera registry keys, particularly during initial deployment or policy refresh

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  "username",
  "Process Name" AS process_name,
  "Process CommandLine" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN "filename" ILIKE '%avicap32.dll%' OR "filename" ILIKE '%vfw32.dll%' OR "filename" ILIKE '%mfreadwrite.dll%'
      THEN 'CameraAPILoad'
    WHEN "filename" ILIKE '%.avi' OR "filename" ILIKE '%.mp4' OR "filename" ILIKE '%.wmv'
      OR "filename" ILIKE '%.mkv' OR "filename" ILIKE '%.mov' OR "filename" ILIKE '%.m4v'
      THEN 'VideoFileCreation'
    WHEN "filename" ILIKE '%KSCATEGORY_VIDEO_CAMERA%' OR "filename" ILIKE '%Camera%'
      OR "filename" ILIKE '%Webcam%'
      THEN 'CameraRegistryAccess'
    ELSE 'Unknown'
  END AS detection_type,
  "filename" AS suspicious_file_or_key
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    /* Branch 1: Sysmon Event ID 7 - Image Load of camera DLLs by suspicious processes */
    (
      QIDNAME(qid) ILIKE '%image load%'
      AND (
        "filename" ILIKE '%avicap32.dll%'
        OR "filename" ILIKE '%vfw32.dll%'
        OR "filename" ILIKE '%mfreadwrite.dll%'
      )
      AND "Process Name" NOT ILIKE '%Teams.exe%'
      AND "Process Name" NOT ILIKE '%zoom.exe%'
      AND "Process Name" NOT ILIKE '%Skype.exe%'
      AND "Process Name" NOT ILIKE '%slack.exe%'
      AND "Process Name" NOT ILIKE '%webex.exe%'
      AND "Process Name" NOT ILIKE '%chrome.exe%'
      AND "Process Name" NOT ILIKE '%msedge.exe%'
      AND "Process Name" NOT ILIKE '%firefox.exe%'
      AND "Process Name" NOT ILIKE '%obs64.exe%'
      AND "Process Name" NOT ILIKE '%obs32.exe%'
      AND "Process Name" NOT ILIKE '%vlc.exe%'
      AND "Process Name" NOT ILIKE '%ffmpeg.exe%'
      AND "Process Name" NOT ILIKE '%WindowsCamera.exe%'
    )
    OR
    /* Branch 2: Sysmon Event ID 11 - Video file creation in suspicious paths */
    (
      QIDNAME(qid) ILIKE '%file create%'
      AND (
        "filename" ILIKE '%.avi'
        OR "filename" ILIKE '%.mp4'
        OR "filename" ILIKE '%.wmv'
        OR "filename" ILIKE '%.mkv'
        OR "filename" ILIKE '%.mov'
        OR "filename" ILIKE '%.m4v'
        OR "filename" ILIKE '%.flv'
      )
      AND (
        "filename" ILIKE '%\AppData\Local\Temp\%'
        OR "filename" ILIKE '%\AppData\Roaming\%'
        OR "filename" ILIKE '%\ProgramData\%'
        OR "filename" ILIKE '%\Users\Public\%'
        OR "filename" ILIKE '%\Windows\Temp\%'
      )
      AND "Process Name" NOT ILIKE '%Teams.exe%'
      AND "Process Name" NOT ILIKE '%zoom.exe%'
      AND "Process Name" NOT ILIKE '%Skype.exe%'
      AND "Process Name" NOT ILIKE '%vlc.exe%'
      AND "Process Name" NOT ILIKE '%ffmpeg.exe%'
      AND "Process Name" NOT ILIKE '%obs64.exe%'
      AND "Process Name" NOT ILIKE '%WindowsCamera.exe%'
    )
    OR
    /* Branch 3: Registry access to camera device keys */
    (
      QIDNAME(qid) ILIKE '%registry%'
      AND (
        "filename" ILIKE '%KSCATEGORY_VIDEO_CAMERA%'
        OR "filename" ILIKE '%KSCATEGORY_CAPTURE%'
        OR "filename" ILIKE '%Camera%'
        OR "filename" ILIKE '%Webcam%'
        OR "filename" ILIKE '%VideoCapture%'
      )
      AND "Process Name" NOT ILIKE '%svchost.exe%'
      AND "Process Name" NOT ILIKE '%WmiPrvSE.exe%'
      AND "Process Name" NOT ILIKE '%Teams.exe%'
      AND "Process Name" NOT ILIKE '%zoom.exe%'
    )
  )
  AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon (via QRadar DSM) Microsoft Windows Security Event Log (via QRadar DSM)

Required Tables

events

False Positives

Legitimate enterprise video conferencing tools installed outside their standard program paths may not match the exclusion list patterns and generate false positives on DLL load events
Automated backup or file-sync software that copies video files from user directories to staging paths (e.g., OneDrive local sync cache in Temp) will match the file creation branch
IT asset management tools such as SCCM or Tanium performing device hardware enumeration will trigger the registry camera access branch during scheduled inventory cycles

Sumo Logic CSE

sql

// T1125 - Video Capture Detection
// Branch 1: Camera capture DLL loaded by suspicious process (Sysmon EID 7)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| parse xml auto
| where EventID = "7"
| where (
    ImageLoaded matches "*avicap32.dll" OR
    ImageLoaded matches "*vfw32.dll" OR
    ImageLoaded matches "*mfreadwrite.dll"
  )
| where !(Image matches "*Teams.exe" OR
          Image matches "*zoom.exe" OR
          Image matches "*Skype.exe" OR
          Image matches "*slack.exe" OR
          Image matches "*webex.exe" OR
          Image matches "*chrome.exe" OR
          Image matches "*msedge.exe" OR
          Image matches "*firefox.exe" OR
          Image matches "*obs64.exe" OR
          Image matches "*obs32.exe" OR
          Image matches "*vlc.exe" OR
          Image matches "*ffmpeg.exe" OR
          Image matches "*WindowsCamera.exe")
| eval DetectionType = "CameraAPILoad"
| eval SuspiciousIndicator = if(ImageLoaded matches "*avicap32*", "LegacyCaptureAPI",
    if(ImageLoaded matches "*vfw32*", "VideoForWindowsAPI",
    if(ImageLoaded matches "*mfreadwrite*", "MediaFoundationWrite", "UnknownDLL")))
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ImageLoaded, DetectionType, SuspiciousIndicator

// ---- UNION Branch 2 ----
// Run separately or use subquery union:
// (_sourceCategory="windows/sysmon")
// | parse xml auto
// | where EventID = "11"
// | where (
//     TargetFilename matches "*.avi" OR TargetFilename matches "*.mp4" OR
//     TargetFilename matches "*.wmv" OR TargetFilename matches "*.mkv" OR
//     TargetFilename matches "*.mov" OR TargetFilename matches "*.m4v" OR
//     TargetFilename matches "*.flv"
//   )
// | where (
//     TargetFilename matches "*\AppData\Local\Temp\*" OR
//     TargetFilename matches "*\AppData\Roaming\*" OR
//     TargetFilename matches "*\ProgramData\*" OR
//     TargetFilename matches "*\Users\Public\*" OR
//     TargetFilename matches "*\Windows\Temp\*"
//   )
// | where !(Image matches "*Teams.exe" OR Image matches "*zoom.exe" OR
//           Image matches "*Skype.exe" OR Image matches "*vlc.exe" OR
//           Image matches "*ffmpeg.exe" OR Image matches "*WindowsCamera.exe")
// | eval DetectionType = "VideoFileCreation"
// | eval SuspiciousIndicator = "VideoFileInSuspiciousPath"
// | fields _messageTime, Computer, User, Image, CommandLine, ParentImage, TargetFilename as SuspiciousFile, DetectionType, SuspiciousIndicator

| sort by _messageTime desc
| count by Computer, User, Image, CommandLine, DetectionType, SuspiciousIndicator

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon (via Sumo Logic Installed Collector) Windows Event Log collection

Required Tables

windows/sysmon WinEventLog/Sysmon

False Positives

Legitimate screen capture or remote desktop software (e.g., AnyDesk, TeamViewer) that loads avicap32.dll for desktop sharing functionality when not in the exclusion list will generate alerts
Video conversion or transcoding utilities (e.g., HandBrake, ffprobe) writing output to temporary directories during automated media processing pipelines
Browser plugins or Electron-based applications (Slack, Discord) loading media DLLs from non-standard installation directories not matching the exclusion path patterns

Google Chronicle / SecOps

yaral

rule t1125_video_capture_detection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MITRE ATT&CK T1125 - Video Capture via camera DLL loads, video file creation in suspicious paths, and camera registry enumeration by non-media processes"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1125"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1125/"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"
    created = "2026-04-18"

  events:
    (
      /* Branch 1: Camera API DLL load by suspicious process */
      (
        $e.metadata.event_type = "PROCESS_MODULE_LOAD"
        and (
          $e.target.file.full_path = /(?i)avicap32\.dll$/ or
          $e.target.file.full_path = /(?i)vfw32\.dll$/ or
          $e.target.file.full_path = /(?i)mfreadwrite\.dll$/
        )
        and not (
          $e.principal.process.file.full_path = /(?i)(Teams|zoom|Skype|slack|webex|chrome|msedge|firefox|obs64|obs32|vlc|ffmpeg|WindowsCamera|CameraApp|VideoCapture|SnippingTool)\.exe$/
        )
      )
      or
      /* Branch 2: Video file creation in suspicious staging directories */
      (
        $e.metadata.event_type = "FILE_CREATION"
        and (
          $e.target.file.full_path = /(?i)\.(avi|mp4|wmv|mkv|mov|flv|m4v)$/
        )
        and (
          $e.target.file.full_path = /(?i)\\AppData\\Local\\Temp\\/ or
          $e.target.file.full_path = /(?i)\\AppData\\Roaming\\/ or
          $e.target.file.full_path = /(?i)\\ProgramData\\/ or
          $e.target.file.full_path = /(?i)\\Users\\Public\\/ or
          $e.target.file.full_path = /(?i)\\Windows\\Temp\\/
        )
        and not (
          $e.principal.process.file.full_path = /(?i)(Teams|zoom|Skype|slack|webex|chrome|msedge|firefox|obs64|obs32|vlc|ffmpeg|WindowsCamera)\.exe$/
        )
      )
      or
      /* Branch 3: Camera/webcam registry key access by non-system processes */
      (
        $e.metadata.event_type = "REGISTRY_OPEN_KEY"
        and (
          $e.target.registry.registry_key = /(?i)(KSCATEGORY_VIDEO_CAMERA|KSCATEGORY_CAPTURE|Camera|Webcam|VideoCapture)/
        )
        and not (
          $e.principal.process.file.full_path = /(?i)(svchost|WmiPrvSE|DeviceEnumerator|System|Teams|zoom|Skype)\.exe$/
        )
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM Events Windows endpoint telemetry forwarded to Chronicle Sysmon via Chronicle forwarder

Required Tables

UDM Events (PROCESS_MODULE_LOAD, FILE_CREATION, REGISTRY_OPEN_KEY)

False Positives

Security awareness training software or endpoint DLP agents that periodically scan attached camera devices may generate REGISTRY_OPEN_KEY hits on camera category keys
Custom enterprise automation scripts or PowerShell-based IT tooling that converts desktop recordings to MP4 in the user's Temp directory as part of IT helpdesk remote session recording
Legitimate game capture or streaming software installed to non-standard paths (e.g., portable versions of OBS or Bandicam) not matching the exclusion regex patterns will trigger DLL load alerts

CrowdStrike LogScale (CQL)

cql

// T1125 - Video Capture: CrowdStrike Falcon LogScale (CQL)
// Branch 1: Camera capture DLL image load by suspicious process
#event_simpleName = ImageLoad
| ImageFileName = /(?i)(avicap32\.dll|vfw32\.dll|mfreadwrite\.dll)$/
| ImageFileName != /(?i)(Teams|zoom|Skype|slack|webex|chrome|msedge|firefox|obs64|obs32|vlc|ffmpeg|WindowsCamera|CameraApp|VideoCapture|SnippingTool)\.exe$/
| eval DetectionType = "CameraAPILoad"
| eval SuspiciousIndicator = case(
    ImageFileName = /(?i)avicap32/, "LegacyCaptureAPI",
    ImageFileName = /(?i)vfw32/, "VideoForWindowsAPI",
    ImageFileName = /(?i)mfreadwrite/, "MediaFoundationWrite",
    true(), "UnknownCameraDLL"
  )
| table([_timstamp, ComputerName, UserName, ImageFileName, ProcessImageFileName, CommandLine, ParentBaseFileName, DetectionType, SuspiciousIndicator])

// ---- Branch 2: Video file write to suspicious path (FileCreate events) ----
// #event_simpleName = /^(PeFileWrite|SuspiciousFileWrite|GeneralFileWrite)$/
// | TargetFileName = /(?i)\.(avi|mp4|wmv|mkv|mov|flv|m4v)$/
// | TargetFileName = /(?i)(\\AppData\\Local\\Temp\\|\\AppData\\Roaming\\|\\ProgramData\\|\\Users\\Public\\|\\Windows\\Temp\\)/
// | TargetFileName != /(?i)(Teams|zoom|Skype|slack|webex|chrome|msedge|firefox|obs64|obs32|vlc|ffmpeg|WindowsCamera)\.exe$/
// | eval DetectionType = "VideoFileCreation"
// | eval SuspiciousIndicator = "VideoFileInSuspiciousPath"
// | table([_timstamp, ComputerName, UserName, TargetFileName, ProcessImageFileName, CommandLine, ParentBaseFileName, DetectionType, SuspiciousIndicator])

// ---- Branch 3: Camera registry key enumeration ----
// #event_simpleName = /^(RegKeyCreate|RegKeyOpen|RegValueCreate)$/
// | RegObjectName = /(?i)(KSCATEGORY_VIDEO_CAMERA|KSCATEGORY_CAPTURE|Camera|Webcam|VideoCapture)/
// | ProcessImageFileName != /(?i)(svchost|WmiPrvSE|DeviceEnumerator|Teams|zoom|Skype)\.exe$/
// | eval DetectionType = "CameraRegistryAccess"
// | table([_timstamp, ComputerName, UserName, RegObjectName, ProcessImageFileName, CommandLine, ParentBaseFileName, DetectionType])

| groupBy([ComputerName, UserName, ProcessImageFileName, DetectionType, SuspiciousIndicator], function=count(as=EventCount))
| sort(EventCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR Falcon LogScale (Humio) Falcon sensor telemetry (ImageLoad, FileCreate, RegKeyOpen)

Required Tables

ImageLoad events PeFileWrite / GeneralFileWrite events RegKeyCreate / RegKeyOpen events

False Positives

Security testing tools or red team implants used during authorized penetration tests that load avicap32.dll as part of capability testing will generate true-positive-appearing alerts that require context from change management records to triage
Enterprise endpoint management agents (e.g., Tanium, BigFix) performing hardware capability inventory may load camera-related DLLs or access camera registry keys during scheduled compliance scans
Virtualization guest tools (e.g., VMware Tools, VirtualBox Guest Additions) that redirect physical camera devices to VMs may load video capture DLLs from unexpected process contexts during device redirection initialization

Last updated: 2026-04-18 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1125 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Video Capture

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Collection

Popular Detections