capture-webcam-video.yml

rule:
  meta:
    name: capture webcam video
    namespace: collection/webcam
    authors:
      - "@johnk3r"
    description: Rule that detects a system's webcam being used to capture video
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Collection::Video Capture [T1125]
  features:
    - or:
      # static
      - and:
        - os: windows
        - api: capCreateCaptureWindow
        - basic block:
          - and:
            - api: SendMessage
            - number: 0x43E = WM_CAP_SEQUENCE
        - or:
          - basic block:
            - and:
              - api: SendMessage
              - number: 0x417 = WM_CAP_FILE_SAVEAS
          - basic block:
            - and:
              - api: SendMessage
              - number: 0x414 = WM_CAP_FILE_SET_CAPTURE_FILE
      # dynamic
      - and:
        - os: windows
        - api: capCreateCaptureWindow
        - call:
          - and:
            - api: SendMessage
            - number: 0x43E = WM_CAP_SEQUENCE
        - or:
          - call:
            - and:
              - api: SendMessage
              - number: 0x417 = WM_CAP_FILE_SAVEAS
          - call:
            - and:
              - api: SendMessage
              - number: 0x414 = WM_CAP_FILE_SET_CAPTURE_FILE