# T1125 Video Capture

-----------------------------------------------------------------------

## Technique Description

An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen.

In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)

## Technique Detection

Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.

Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.

-----------------------------------------------------------------------

### Tactics:

  *   Collection

### Platforms:

  * Windows

  * macOS

  * Linux

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Process:** OS API Execution

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Silence | [Silence](https://attack.mitre.org/groups/G0091) has been observed making videos of victims to observe bank employees day to day activities.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) created a custom video recording capability that could be used to monitor operations in the victim's environment.(Citation: FireEye FIN7 Aug 2018)(Citation: DOJ FIN7 Aug 2018)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1125)

  * [Capec](https://capec.mitre.org/data/definitions/634.html)

  * [Objective-See 2017 Review](https://objective-see.com/blog/blog_0x25.html), Patrick Wardle. (n.d.). Retrieved March 20, 2018.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- An adversary will leverage a computer's peripheral devices or applications to capture video recordings for the purpose of gathering information

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### Turla	
- Empire (used by Turla) can capture webcam data on Windows and macOS systems.
- Kazuar captures images from the webcam.

## Detection Blindspots

- Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.

## Analytical References

  * [Empire Project (github)](https://github.com/EmpireProject/Empire)
  * [Kazuar Multiplatform Espionage Backdoor API Access (paloaltonetworks)](https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.

#### Analytic 1

  * **Information:** Monitor for powershell cmdlets for capturing video

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:**  

  * **Query:** ```event.code : 4104```

#### Analytic 2

  * **Information:** Monitor for video files written to disk.

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:**  

  * **Query:** ```Event_id : 11 AND image : *.mp4 or *.mov or *.wmv or *.flv or *.avi or *.avchd or *.webm or *.mkv```

#### Analytic 3

  * **Information:** The command "camshot" creates a Window called “WebCapt” to capture an image from an attached webcam, which it copies to the clipboard and writes to a specified file or a file following the same format from the “scrshot” command. The file is uploaded to the C2 server

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:**  

  * **Query:** ```event.code : 24```
  



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

