Common Information
| Type | Value |
|---|---|
| Value |
Video Capture - T1125 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from Screen Capture due to use of specific devices or applications for video recording rather than capturing the victim's screen. In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review) Detection: Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system. Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data. Platforms: Windows, macOS Data Sources: Process monitoring, File monitoring, API monitoring Permissions Required: User Contributors: Praetorian |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2022-08-16 | 11 | AsyncRAT C2 Framework: Overview, Technical Analysis & Detection | Qualys Security Blog | ||
| Details | Website | 2022-07-26 | 60 | Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers | Mandiant | ||
| Details | Website | 2022-07-07 | 26 | NoMercy Stealer Adding New Features | ||
| Details | Website | 2022-04-27 | 202 | A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity | WeLiveSecurity | ||
| Details | Website | 2022-02-02 | 27 | Catching the RAT called Agent Tesla | Qualys Security Blog | ||
| Details | Website | 2021-12-16 | 36 | Threat Thursday: Warzone RAT Breeds a Litter of ScriptKiddies | ||
| Details | Website | 2021-11-18 | 30 | BlackMatter, LockBit, and THOR | ||
| Details | Website | 2021-07-09 | 193 | BIOPASS RAT New Malware Sniffs Victims via Live Streaming | ||
| Details | Website | 2021-07-09 | 176 | BIOPASS RAT New Malware Sniffs Victims via Live Streaming | ||
| Details | Website | 2021-04-14 | 56 | HydroJiin Malware Campaign | ThreatLabZ | Zscaler Blog | ||
| Details | Website | 2021-01-12 | 70 | Operation Spalax: Targeted malware attacks in Colombia | WeLiveSecurity | ||
| Details | Website | 2020-10-27 | 10 | The Increase in Activity of the Remote Access Trojan - Cyberint | ||
| Details | Website | 2020-08-28 | 131 | Gozi: The Malware with a Thousand Faces - Check Point Research | ||
| Details | Website | 2020-06-18 | 76 | Digging up InvisiMole’s hidden arsenal | WeLiveSecurity | ||
| Details | Website | 2019-08-01 | 53 | From Carnaval to Cinco de Mayo – The journey of Amavaldo | WeLiveSecurity | ||
| Details | Website | 2019-04-25 | 1 | CARBANAK Week Part Four: The CARBANAK Desktop Video Player | Mandiant | ||
| Details | Website | 2018-11-30 | 0 | The 25th anniversary of the webcam: What did it bring us? | Malwarebytes Labs | ||
| Details | Website | 2018-10-16 | 7 | How to build your own motion-activated security camera | Malwarebytes Labs | ||
| Details | Website | 2017-10-19 | 1 | Nintendo Switch firmware 4.0.0 released - Wololo.net | ||
| Details | Website | 2017-06-14 | 7 | Review: Svpro 3D Camera - for Android and Raspberry Pi | ||
| Details | Website | 2017-06-12 | 6 | Behind the CARBANAK Backdoor | Mandiant | ||
| Details | Website | 2017-03-23 | 37 | If you download Minecraft mods from Google Play, read on … | WeLiveSecurity | ||
| Details | Website | 2017-02-22 | 6 | Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government | Mandiant | ||
| Details | Website | 2017-01-01 | 43 | Mac Malware of 2016 | ||
| Details | Website | 2015-06-11 | 45 | Evilgrab Delivered by Watering Hole Attack on President of Myanmar’s Website |