LoFP / administrators may execute this powershell command to get hardware information related to camera on $dest$.

Techniques

• T1592.001

Sample rules

Windows Gather Victim Host Information Camera

• source: splunk
• technicques:
  • T1592.001

Description

The following analytic detects a PowerShell script that enumerates camera devices on the targeted host. This detection leverages PowerShell Script Block Logging, specifically looking for commands querying Win32_PnPEntity for camera-related information. This activity is significant as it is commonly observed in DCRat malware, which collects camera data to send to its command-and-control server. If confirmed malicious, this behavior could indicate an attempt to gather sensitive visual information from the host, potentially leading to privacy breaches or further exploitation.

Detection logic

`powershell` EventCode=4104 ScriptBlockText= "* Win32_PnPEntity *" ScriptBlockText= "*SELECT*" ScriptBlockText= "*WHERE*" ScriptBlockText = "*PNPClass*" ScriptBlockText IN ("*Image*", "*Camera*")
  
| fillnull
  
| stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  
| `security_content_ctime(firstTime)`
  
| `security_content_ctime(lastTime)`
  
| `windows_gather_victim_host_information_camera_filter`