T1125 Google Chronicle · YARA-L

Detect Video Capture in Google Chronicle

Adversaries may leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may interact with webcam devices through OS or application APIs such as the Windows Video Capture API (avicap32.dll), DirectShow, Windows Media Foundation, or platform-specific libraries on macOS and Linux. Captured video or image files may be written to disk and exfiltrated later. Threat actors including Transparent Tribe (Crimson RAT), Silence Group, and tools such as Empire, NanoCore, Agent Tesla, and PoetRAT have demonstrated active use of this technique.

MITRE ATT&CK

Tactic
Collection
Technique
T1125 Video Capture
Canonical reference
https://attack.mitre.org/techniques/T1125/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1125_video_capture_detection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MITRE ATT&CK T1125 - Video Capture via camera DLL loads, video file creation in suspicious paths, and camera registry enumeration by non-media processes"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1125"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1125/"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"
    created = "2026-04-18"

  events:
    (
      /* Branch 1: Camera API DLL load by suspicious process */
      (
        $e.metadata.event_type = "PROCESS_MODULE_LOAD"
        and (
          $e.target.file.full_path = /(?i)avicap32\.dll$/ or
          $e.target.file.full_path = /(?i)vfw32\.dll$/ or
          $e.target.file.full_path = /(?i)mfreadwrite\.dll$/
        )
        and not (
          $e.principal.process.file.full_path = /(?i)(Teams|zoom|Skype|slack|webex|chrome|msedge|firefox|obs64|obs32|vlc|ffmpeg|WindowsCamera|CameraApp|VideoCapture|SnippingTool)\.exe$/
        )
      )
      or
      /* Branch 2: Video file creation in suspicious staging directories */
      (
        $e.metadata.event_type = "FILE_CREATION"
        and (
          $e.target.file.full_path = /(?i)\.(avi|mp4|wmv|mkv|mov|flv|m4v)$/
        )
        and (
          $e.target.file.full_path = /(?i)\\AppData\\Local\\Temp\\/ or
          $e.target.file.full_path = /(?i)\\AppData\\Roaming\\/ or
          $e.target.file.full_path = /(?i)\\ProgramData\\/ or
          $e.target.file.full_path = /(?i)\\Users\\Public\\/ or
          $e.target.file.full_path = /(?i)\\Windows\\Temp\\/
        )
        and not (
          $e.principal.process.file.full_path = /(?i)(Teams|zoom|Skype|slack|webex|chrome|msedge|firefox|obs64|obs32|vlc|ffmpeg|WindowsCamera)\.exe$/
        )
      )
      or
      /* Branch 3: Camera/webcam registry key access by non-system processes */
      (
        $e.metadata.event_type = "REGISTRY_OPEN_KEY"
        and (
          $e.target.registry.registry_key = /(?i)(KSCATEGORY_VIDEO_CAMERA|KSCATEGORY_CAPTURE|Camera|Webcam|VideoCapture)/
        )
        and not (
          $e.principal.process.file.full_path = /(?i)(svchost|WmiPrvSE|DeviceEnumerator|System|Teams|zoom|Skype)\.exe$/
        )
      )
    )

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting MITRE ATT&CK T1125 (Video Capture) through three correlated behavioral signals in UDM event stream: (1) PROCESS_MODULE_LOAD events for Windows camera capture DLLs (avicap32.dll, vfw32.dll, mfreadwrite.dll) loaded by processes outside the known legitimate media application set, (2) FILE_CREATION events for video file types written to temp/staging paths by non-media processes, and (3) REGISTRY_OPEN_KEY events targeting camera device category keys by unexpected processes. Covers RAT tooling including Crimson RAT, NanoCore, Agent Tesla, PoetRAT, and post-exploitation frameworks.

Data Sources

Google Chronicle SIEMChronicle UDM EventsWindows endpoint telemetry forwarded to ChronicleSysmon via Chronicle forwarder

Required Tables

UDM Events (PROCESS_MODULE_LOAD, FILE_CREATION, REGISTRY_OPEN_KEY)

False Positives & Tuning

  • Security awareness training software or endpoint DLP agents that periodically scan attached camera devices may generate REGISTRY_OPEN_KEY hits on camera category keys
  • Custom enterprise automation scripts or PowerShell-based IT tooling that converts desktop recordings to MP4 in the user's Temp directory as part of IT helpdesk remote session recording
  • Legitimate game capture or streaming software installed to non-standard paths (e.g., portable versions of OBS or Bandicam) not matching the exclusion regex patterns will trigger DLL load alerts
Download portable Sigma rule (.yml)

Other platforms for T1125

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Webcam Access via avicap32.dll (Windows Legacy API)

    Expected signal: Sysmon Event ID 7 (Image Load): Image=powershell.exe, ImageLoaded=C:\Windows\System32\avicap32.dll. Sysmon Event ID 1 (Process Create): CommandLine will contain 'avicap32.dll' and 'capCreateCaptureWindowA'. PowerShell Script Block Log Event ID 4104 with the full P/Invoke code.

  2. Test 2Video File Creation in Temp Directory Simulation

    Expected signal: Sysmon Event ID 11 (File Create): Image=powershell.exe, TargetFilename=C:\Users\<user>\AppData\Local\Temp\capture_<timestamp>.avi. File will contain RIFF header bytes matching AVI format. Sysmon Event ID 1 (Process Create) for the PowerShell process.

  3. Test 3Webcam Capture via Python OpenCV (Cross-Platform)

    Expected signal: Sysmon Event ID 1 (Process Create): Image=python3.exe (or python.exe), CommandLine contains 'cv2.VideoCapture' and 'imwrite'. Sysmon Event ID 7 (Image Load): opencv_videoio*.dll or _cv2.pyd loaded by python3.exe. Sysmon Event ID 11 (File Create): TargetFilename matching frame_<timestamp>.jpg in %TEMP%.

  4. Test 4Webcam Capture Using ffmpeg (Common RAT Dependency)

    Expected signal: Sysmon Event ID 1 (Process Create): Image=ffmpeg.exe, CommandLine contains '-f dshow' and '-i video=' and the output .mp4 path in %TEMP%. Sysmon Event ID 11 (File Create): TargetFilename matching *.mp4 in %TEMP% with Image=ffmpeg.exe. DeviceNetworkEvents (KQL) should be clean for this test — ffmpeg does not make network connections in offline capture mode.

Last updated: 2026-04-18 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1125 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1123Audio CaptureT1113Screen CaptureT1056.001KeyloggingT1041Exfiltration Over C2 ChannelT1105Ingress Tool TransferT1566.001Spearphishing AttachmentT1074.001Local Data StagingT1560Archive Collected DataT1027Obfuscated Files or Information

Same Tactic: Collection

Popular Detections