Detect Video Capture in IBM QRadar
Adversaries may leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may interact with webcam devices through OS or application APIs such as the Windows Video Capture API (avicap32.dll), DirectShow, Windows Media Foundation, or platform-specific libraries on macOS and Linux. Captured video or image files may be written to disk and exfiltrated later. Threat actors including Transparent Tribe (Crimson RAT), Silence Group, and tools such as Empire, NanoCore, Agent Tesla, and PoetRAT have demonstrated active use of this technique.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1125 Video Capture
- Canonical reference
- https://attack.mitre.org/techniques/T1125/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"sourceip",
"username",
"Process Name" AS process_name,
"Process CommandLine" AS command_line,
"Parent Process Name" AS parent_process,
CASE
WHEN "filename" ILIKE '%avicap32.dll%' OR "filename" ILIKE '%vfw32.dll%' OR "filename" ILIKE '%mfreadwrite.dll%'
THEN 'CameraAPILoad'
WHEN "filename" ILIKE '%.avi' OR "filename" ILIKE '%.mp4' OR "filename" ILIKE '%.wmv'
OR "filename" ILIKE '%.mkv' OR "filename" ILIKE '%.mov' OR "filename" ILIKE '%.m4v'
THEN 'VideoFileCreation'
WHEN "filename" ILIKE '%KSCATEGORY_VIDEO_CAMERA%' OR "filename" ILIKE '%Camera%'
OR "filename" ILIKE '%Webcam%'
THEN 'CameraRegistryAccess'
ELSE 'Unknown'
END AS detection_type,
"filename" AS suspicious_file_or_key
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
/* Branch 1: Sysmon Event ID 7 - Image Load of camera DLLs by suspicious processes */
(
QIDNAME(qid) ILIKE '%image load%'
AND (
"filename" ILIKE '%avicap32.dll%'
OR "filename" ILIKE '%vfw32.dll%'
OR "filename" ILIKE '%mfreadwrite.dll%'
)
AND "Process Name" NOT ILIKE '%Teams.exe%'
AND "Process Name" NOT ILIKE '%zoom.exe%'
AND "Process Name" NOT ILIKE '%Skype.exe%'
AND "Process Name" NOT ILIKE '%slack.exe%'
AND "Process Name" NOT ILIKE '%webex.exe%'
AND "Process Name" NOT ILIKE '%chrome.exe%'
AND "Process Name" NOT ILIKE '%msedge.exe%'
AND "Process Name" NOT ILIKE '%firefox.exe%'
AND "Process Name" NOT ILIKE '%obs64.exe%'
AND "Process Name" NOT ILIKE '%obs32.exe%'
AND "Process Name" NOT ILIKE '%vlc.exe%'
AND "Process Name" NOT ILIKE '%ffmpeg.exe%'
AND "Process Name" NOT ILIKE '%WindowsCamera.exe%'
)
OR
/* Branch 2: Sysmon Event ID 11 - Video file creation in suspicious paths */
(
QIDNAME(qid) ILIKE '%file create%'
AND (
"filename" ILIKE '%.avi'
OR "filename" ILIKE '%.mp4'
OR "filename" ILIKE '%.wmv'
OR "filename" ILIKE '%.mkv'
OR "filename" ILIKE '%.mov'
OR "filename" ILIKE '%.m4v'
OR "filename" ILIKE '%.flv'
)
AND (
"filename" ILIKE '%\AppData\Local\Temp\%'
OR "filename" ILIKE '%\AppData\Roaming\%'
OR "filename" ILIKE '%\ProgramData\%'
OR "filename" ILIKE '%\Users\Public\%'
OR "filename" ILIKE '%\Windows\Temp\%'
)
AND "Process Name" NOT ILIKE '%Teams.exe%'
AND "Process Name" NOT ILIKE '%zoom.exe%'
AND "Process Name" NOT ILIKE '%Skype.exe%'
AND "Process Name" NOT ILIKE '%vlc.exe%'
AND "Process Name" NOT ILIKE '%ffmpeg.exe%'
AND "Process Name" NOT ILIKE '%obs64.exe%'
AND "Process Name" NOT ILIKE '%WindowsCamera.exe%'
)
OR
/* Branch 3: Registry access to camera device keys */
(
QIDNAME(qid) ILIKE '%registry%'
AND (
"filename" ILIKE '%KSCATEGORY_VIDEO_CAMERA%'
OR "filename" ILIKE '%KSCATEGORY_CAPTURE%'
OR "filename" ILIKE '%Camera%'
OR "filename" ILIKE '%Webcam%'
OR "filename" ILIKE '%VideoCapture%'
)
AND "Process Name" NOT ILIKE '%svchost.exe%'
AND "Process Name" NOT ILIKE '%WmiPrvSE.exe%'
AND "Process Name" NOT ILIKE '%Teams.exe%'
AND "Process Name" NOT ILIKE '%zoom.exe%'
)
)
AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC
LIMIT 500Detects MITRE ATT&CK T1125 (Video Capture) in IBM QRadar by querying Sysmon and Windows Security log sources for three malicious behaviors: loading Windows video capture DLLs (avicap32.dll, vfw32.dll, mfreadwrite.dll) by non-media processes, creating video files in temporary/staging paths, and accessing camera-related registry keys. Correlates process context against known-legitimate media application exclusion list to reduce noise from Teams, Zoom, browser-based conferencing, and OBS.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate enterprise video conferencing tools installed outside their standard program paths may not match the exclusion list patterns and generate false positives on DLL load events
- Automated backup or file-sync software that copies video files from user directories to staging paths (e.g., OneDrive local sync cache in Temp) will match the file creation branch
- IT asset management tools such as SCCM or Tanium performing device hardware enumeration will trigger the registry camera access branch during scheduled inventory cycles
Other platforms for T1125
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Webcam Access via avicap32.dll (Windows Legacy API)
Expected signal: Sysmon Event ID 7 (Image Load): Image=powershell.exe, ImageLoaded=C:\Windows\System32\avicap32.dll. Sysmon Event ID 1 (Process Create): CommandLine will contain 'avicap32.dll' and 'capCreateCaptureWindowA'. PowerShell Script Block Log Event ID 4104 with the full P/Invoke code.
- Test 2Video File Creation in Temp Directory Simulation
Expected signal: Sysmon Event ID 11 (File Create): Image=powershell.exe, TargetFilename=C:\Users\<user>\AppData\Local\Temp\capture_<timestamp>.avi. File will contain RIFF header bytes matching AVI format. Sysmon Event ID 1 (Process Create) for the PowerShell process.
- Test 3Webcam Capture via Python OpenCV (Cross-Platform)
Expected signal: Sysmon Event ID 1 (Process Create): Image=python3.exe (or python.exe), CommandLine contains 'cv2.VideoCapture' and 'imwrite'. Sysmon Event ID 7 (Image Load): opencv_videoio*.dll or _cv2.pyd loaded by python3.exe. Sysmon Event ID 11 (File Create): TargetFilename matching frame_<timestamp>.jpg in %TEMP%.
- Test 4Webcam Capture Using ffmpeg (Common RAT Dependency)
Expected signal: Sysmon Event ID 1 (Process Create): Image=ffmpeg.exe, CommandLine contains '-f dshow' and '-i video=' and the output .mp4 path in %TEMP%. Sysmon Event ID 11 (File Create): TargetFilename matching *.mp4 in %TEMP% with Image=ffmpeg.exe. DeviceNetworkEvents (KQL) should be clean for this test — ffmpeg does not make network connections in offline capture mode.
References (11)
- https://attack.mitre.org/techniques/T1125/
- https://objective-see.com/blog/blog_0x25.html
- https://learn.microsoft.com/en-us/windows/win32/multimedia/video-capture
- https://learn.microsoft.com/en-us/windows/win32/medfound/microsoft-media-foundation-sdk
- https://www.proofpoint.com/us/threat-insight/post/new-poison-ivy-rat-variant-targets-us-government-employees
- https://securelist.com/the-machete-apt/98121/
- https://blog.talosintelligence.com/2020/04/poetrat-targets-azerbaijan.html
- https://www.group-ib.com/resources/threat-research/silence_moving_into_the_darkside.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceimageloadevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1125 including response playbook, investigation guide, and atomic red team tests.