rule:
meta:
name: capture webcam video
namespace: collection/webcam
authors:
- "@johnk3r"
description: Rule that detects a system's webcam being used to capture video
scopes:
static: function
dynamic: thread
att&ck:
- Collection::Video Capture [T1125]
features:
- or:
# static
- and:
- os: windows
- api: capCreateCaptureWindow
- basic block:
- and:
- api: SendMessage
- number: 0x43E = WM_CAP_SEQUENCE
- or:
- basic block:
- and:
- api: SendMessage
- number: 0x417 = WM_CAP_FILE_SAVEAS
- basic block:
- and:
- api: SendMessage
- number: 0x414 = WM_CAP_FILE_SET_CAPTURE_FILE
# dynamic
- and:
- os: windows
- api: capCreateCaptureWindow
- call:
- and:
- api: SendMessage
- number: 0x43E = WM_CAP_SEQUENCE
- or:
- call:
- and:
- api: SendMessage
- number: 0x417 = WM_CAP_FILE_SAVEAS
- call:
- and:
- api: SendMessage
- number: 0x414 = WM_CAP_FILE_SET_CAPTURE_FILE
last edited: 2023-11-24 10:35:03