Skip to content

DET0197 Behavior-chain, platform-aware detection strategy for T1125 Video Capture

Item Value
ID DET0197
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1125 (Video Capture)

Analytics

Windows

AN0568

A non-standard process (or script-hosted process) loads camera/video-capture libraries (e.g., avicap32.dll, mf.dll, ksproxy.ax), opens the Camera Frame Server/device, writes video/image artifacts (e.g., .mp4/.avi/.yuv) to unusual locations, and optionally initiates outbound transfer shortly after.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
OS API Execution (DC0021) WinEventLog:Security EventCode=4663, 4670, 4656
Process Metadata (DC0034) WinEventLog:Microsoft-Windows-Windows Camera Frame Server/Operational Process session start/stop events for camera pipeline by unexpected executables
Mutable Elements
Field Description
TimeWindow Correlation window (e.g., 0–20 minutes) between device access, file creation, and egress.
AllowedProcesses Known legitimate camera consumers (e.g., Teams.exe, zoom.exe, obs64.exe) to suppress.
VideoExtensions List of extensions to flag (.mp4, .avi, .mov, .yuv, .mkv, .h264) – tune for your estate.
RarePathRegex Regex for unusual storage locations (e.g., %TEMP%*, C:\Windows\Tasks*, user profile hidden dirs).
MinFileSizeMB Minimum size to reduce FP from thumbnails/snapshots.
ParentProcessAllowList Service/agent parents permitted to broker camera access.

Linux

AN0569

A process opens/reads /dev/video* (V4L2), performs ioctl/read loops, writes large/continuous video artifacts to disk, and/or quickly establishes outbound connections for exfiltration.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) auditd:SYSCALL openat/read/ioctl: openat/read/ioctl on /dev/video* by uncommon user/process
File Access (DC0055) auditd:SYSCALL PATH records referencing /dev/video*
Process Metadata (DC0034) linux:osquery select: path LIKE ‘/dev/video%’
Command Execution (DC0064) linux:syslog sudo execution of ffmpeg/gst-launch/v4l2-ctl by non-standard user
Network Traffic Content (DC0085) NSM:Flow http/file-xfer: Outbound transfer of large video-like MIME types soon after capture
Mutable Elements
Field Description
SyscallSet Which syscalls to audit (openat, read, ioctl) – performance sensitive.
AllowedCallers Legitimate processes (e.g., motion, Zoom, Chrome) that access /dev/video*.
VideoExtensions List of file extensions to flag (.mp4/.avi/.mov/.mkv/.yuv/.h264).
MinContinuousReadCount Minimum read/ioctl count to infer continuous capture.
TimeWindow Correlate device open → file write → network exfil (e.g., 30m).

macOS

AN0570

A non-whitelisted process receives TCC camera entitlement (kTCCServiceCamera), opens AppleCamera/AVFoundation device handles, writes .mov/.mp4 artifacts to unusual locations, and/or beacons/exfiltrates soon after.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) macos:unifiedlog Access decisions to kTCCServiceCamera for unexpected binaries
File Access (DC0055) macos:endpointsecurity open: Process opens AppleCamera/IOUSB device nodes or AVFoundation frameworks
Process Creation (DC0032) macos:endpointsecurity exec: Exec of ffmpeg, avfoundation-based binaries, or custom signed apps accessing camera
File Creation (DC0039) macos:unifiedlog Process wrote large .mov/.mp4 in user temp/hidden dirs
Mutable Elements
Field Description
TCCAllowList Legitimate apps (Zoom, Teams, FaceTime) that are permitted to camera.
VideoExtensions Mov/mp4/mkv/yuv etc., tuned to environment workloads.
TimeWindow Correlation between TCC grant → file write → network egress.
MinFileSizeMB Reduce FP from thumbnails/snapshots.
LaunchAgentPaths Allowed persistence paths to reduce false positives when correlating with persistence.