Which SIEM platforms have a T1125 detection rule?

df00tech provides T1125 (Video Capture) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Video Capture (T1125)?

Detecting Video Capture requires the following data sources: Driver: Driver Load, Process: Process Creation, File: File Creation, Windows Registry: Windows Registry Key Access, Microsoft Defender for Endpoint.

What severity and confidence is the T1125 detection?

The T1125 detection is rated high severity with medium confidence.

What are common false positives for T1125?

Common false positives for T1125 include: Legitimate video conferencing applications (Zoom, Teams, Webex, Skype) that may not be in the exclusion list if installed to non-default paths; Screen recording and productivity tools (OBS Studio, Camtasia, Loom, ShareX) used by developers or content creators; IT asset management or device inventory tools that enumerate camera hardware through registry keys.

T1125 Sumo Logic CSE · Sumo

Detect Video Capture in Sumo Logic CSE

Adversaries may leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may interact with webcam devices through OS or application APIs such as the Windows Video Capture API (avicap32.dll), DirectShow, Windows Media Foundation, or platform-specific libraries on macOS and Linux. Captured video or image files may be written to disk and exfiltrated later. Threat actors including Transparent Tribe (Crimson RAT), Silence Group, and tools such as Empire, NanoCore, Agent Tesla, and PoetRAT have demonstrated active use of this technique.

MITRE ATT&CK

Tactic: Collection
Technique: T1125 Video Capture
Canonical reference: https://attack.mitre.org/techniques/T1125/

Sumo Detection Query

Sumo Logic CSE (Sumo)

sql

// T1125 - Video Capture Detection
// Branch 1: Camera capture DLL loaded by suspicious process (Sysmon EID 7)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| parse xml auto
| where EventID = "7"
| where (
    ImageLoaded matches "*avicap32.dll" OR
    ImageLoaded matches "*vfw32.dll" OR
    ImageLoaded matches "*mfreadwrite.dll"
  )
| where !(Image matches "*Teams.exe" OR
          Image matches "*zoom.exe" OR
          Image matches "*Skype.exe" OR
          Image matches "*slack.exe" OR
          Image matches "*webex.exe" OR
          Image matches "*chrome.exe" OR
          Image matches "*msedge.exe" OR
          Image matches "*firefox.exe" OR
          Image matches "*obs64.exe" OR
          Image matches "*obs32.exe" OR
          Image matches "*vlc.exe" OR
          Image matches "*ffmpeg.exe" OR
          Image matches "*WindowsCamera.exe")
| eval DetectionType = "CameraAPILoad"
| eval SuspiciousIndicator = if(ImageLoaded matches "*avicap32*", "LegacyCaptureAPI",
    if(ImageLoaded matches "*vfw32*", "VideoForWindowsAPI",
    if(ImageLoaded matches "*mfreadwrite*", "MediaFoundationWrite", "UnknownDLL")))
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ImageLoaded, DetectionType, SuspiciousIndicator

// ---- UNION Branch 2 ----
// Run separately or use subquery union:
// (_sourceCategory="windows/sysmon")
// | parse xml auto
// | where EventID = "11"
// | where (
//     TargetFilename matches "*.avi" OR TargetFilename matches "*.mp4" OR
//     TargetFilename matches "*.wmv" OR TargetFilename matches "*.mkv" OR
//     TargetFilename matches "*.mov" OR TargetFilename matches "*.m4v" OR
//     TargetFilename matches "*.flv"
//   )
// | where (
//     TargetFilename matches "*\AppData\Local\Temp\*" OR
//     TargetFilename matches "*\AppData\Roaming\*" OR
//     TargetFilename matches "*\ProgramData\*" OR
//     TargetFilename matches "*\Users\Public\*" OR
//     TargetFilename matches "*\Windows\Temp\*"
//   )
// | where !(Image matches "*Teams.exe" OR Image matches "*zoom.exe" OR
//           Image matches "*Skype.exe" OR Image matches "*vlc.exe" OR
//           Image matches "*ffmpeg.exe" OR Image matches "*WindowsCamera.exe")
// | eval DetectionType = "VideoFileCreation"
// | eval SuspiciousIndicator = "VideoFileInSuspiciousPath"
// | fields _messageTime, Computer, User, Image, CommandLine, ParentImage, TargetFilename as SuspiciousFile, DetectionType, SuspiciousIndicator

| sort by _messageTime desc
| count by Computer, User, Image, CommandLine, DetectionType, SuspiciousIndicator

high severity medium confidence

Detects MITRE ATT&CK T1125 (Video Capture) in Sumo Logic using Sysmon XML event logs. Primary query targets Sysmon Event ID 7 (Image Load) for camera capture DLL loads (avicap32.dll, vfw32.dll, mfreadwrite.dll) by processes not in the known-legitimate media application list. A commented secondary query block covers Sysmon EID 11 (File Create) for video file creation in suspicious temp/staging directories. Combine via subquery union for unified alerting. Detects tools like Crimson RAT, NanoCore, Agent Tesla, and Empire's video capture modules.

Data Sources

Sumo Logic Cloud SIEMWindows Sysmon (via Sumo Logic Installed Collector)Windows Event Log collection

Required Tables

windows/sysmonWinEventLog/Sysmon

False Positives & Tuning

Legitimate screen capture or remote desktop software (e.g., AnyDesk, TeamViewer) that loads avicap32.dll for desktop sharing functionality when not in the exclusion list will generate alerts
Video conversion or transcoding utilities (e.g., HandBrake, ffprobe) writing output to temporary directories during automated media processing pipelines
Browser plugins or Electron-based applications (Slack, Discord) loading media DLLs from non-standard installation directories not matching the exclusion path patterns

Download portable Sigma rule (.yml)

Other platforms for T1125

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Webcam Access via avicap32.dll (Windows Legacy API)
Expected signal: Sysmon Event ID 7 (Image Load): Image=powershell.exe, ImageLoaded=C:\Windows\System32\avicap32.dll. Sysmon Event ID 1 (Process Create): CommandLine will contain 'avicap32.dll' and 'capCreateCaptureWindowA'. PowerShell Script Block Log Event ID 4104 with the full P/Invoke code.
Test 2Video File Creation in Temp Directory Simulation
Expected signal: Sysmon Event ID 11 (File Create): Image=powershell.exe, TargetFilename=C:\Users\<user>\AppData\Local\Temp\capture_<timestamp>.avi. File will contain RIFF header bytes matching AVI format. Sysmon Event ID 1 (Process Create) for the PowerShell process.
Test 3Webcam Capture via Python OpenCV (Cross-Platform)
Expected signal: Sysmon Event ID 1 (Process Create): Image=python3.exe (or python.exe), CommandLine contains 'cv2.VideoCapture' and 'imwrite'. Sysmon Event ID 7 (Image Load): opencv_videoio*.dll or _cv2.pyd loaded by python3.exe. Sysmon Event ID 11 (File Create): TargetFilename matching frame_<timestamp>.jpg in %TEMP%.
Test 4Webcam Capture Using ffmpeg (Common RAT Dependency)
Expected signal: Sysmon Event ID 1 (Process Create): Image=ffmpeg.exe, CommandLine contains '-f dshow' and '-i video=' and the output .mp4 path in %TEMP%. Sysmon Event ID 11 (File Create): TargetFilename matching *.mp4 in %TEMP% with Image=ffmpeg.exe. DeviceNetworkEvents (KQL) should be clean for this test — ffmpeg does not make network connections in offline capture mode.

Last updated: 2026-04-18 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1125 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Related Techniques

T1123Audio Capture T1113Screen Capture T1056.001Keylogging T1041Exfiltration Over C2 Channel T1105Ingress Tool Transfer T1566.001Spearphishing Attachment T1074.001Local Data Staging T1560Archive Collected Data T1027Obfuscated Files or Information

Detect Video Capture in Sumo Logic CSE

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1125

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Collection

Popular Detections

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1125

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox