← Library
kqlElastic-2.0from elastic/detection-rules

PowerShell Script with Webcam Video Capture Capabilities

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1125T1059T1059.001
Rule sourcerules/windows/collection_posh_webcam_video_capture.toml
event.category:process and host.os.type:windows and
  powershell.file.script_block_text : (
    "NewFrameEventHandler" or
    "VideoCaptureDevice" or
    "DirectX.Capture.Filters" or
    "VideoCompressors" or
    "Start-WebcamRecorder" or
    (
      ("capCreateCaptureWindowA" or
       "capCreateCaptureWindow" or
       "capGetDriverDescription") and
      ("avicap32.dll" or "avicap32")
    )
  )