title: Video Capture (T1125)
id: df00tech-t1125
status: experimental
description: "Adversaries may leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may interact with webcam devices through OS or application APIs such as the Windows Video Capture API (avicap32.dll), DirectShow, Windows Media Foundation, or platform-specific libraries on macOS and Linux. Captured video or image files may be written to disk and exfiltrated later. Threat actors including Transparent Tribe (Crimson RAT), Silence Group, and tools such as Empire, NanoCore, Agent Tesla, and PoetRAT have demonstrated active use of this technique."
references:
  - https://attack.mitre.org/techniques/T1125/
  - https://df00tech.com/detections/T1125
author: df00tech
date: 2026/04/18
tags:
  - attack.t1125
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate video conferencing applications (Zoom, Teams, Webex, Skype) that may not be in the exclusion list if installed to non-default paths"
  - "Screen recording and productivity tools (OBS Studio, Camtasia, Loom, ShareX) used by developers or content creators"
  - IT asset management or device inventory tools that enumerate camera hardware through registry keys
  - Security camera management software or driver update utilities that interact with webcam device APIs
  - Development/testing environments where developers are building applications that interact with webcam APIs
level: high