Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Захват видеоданных
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Захват видеоданных
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Захват видеоданных

An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from Screen Capture due to use of specific devices or applications for video recording rather than capturing the victim's screen. In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)

ID: T1125
Тактика(-и): Collection
Платформы: Linux, Windows, macOS
Источники данных: Command: Command Execution, Process: OS API Execution
Версия: 1.2
Дата создания: 31 May 2017
Последнее изменение: 25 Apr 2025

Примеры процедур
Название Описание
EvilGrab

EvilGrab has the capability to capture video from a victim machine.(Citation: PWC Cloud Hopper Technical Annex April 2017)
Crimson

Crimson can capture webcam video on targeted systems.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)
Empire

Empire can capture webcam data on Windows and macOS systems.(Citation: Github PowerShell Empire)
Machete

Machete takes photos from the computer’s web camera.(Citation: Securelist Machete Aug 2014)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)
PcShare

PcShare can capture camera video as part of its collection process.(Citation: Bitdefender FunnyDream Campaign November 2020)
InvisiMole

InvisiMole can remotely activate the victim’s webcam to capture content.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
Kazuar

Kazuar captures images from the webcam.(Citation: Unit 42 Kazuar May 2017)
DarkComet

DarkComet can access the victim’s webcam to take pictures.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)
ObliqueRAT

ObliqueRAT can capture images from webcams on compromised hosts.(Citation: Talos Oblique RAT March 2021)
AsyncRAT

AsyncRAT can record screen content on targeted systems.(Citation: AsyncRAT GitHub)
Clambling

Clambling can record screen content in AVI format.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)
Agent Tesla

Agent Tesla can access the victim’s webcam and record video.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Talos Agent Tesla Oct 2018)
Remcos

Remcos can access a system’s webcam and take pictures.(Citation: Fortinet Remcos Feb 2017)
Bandook

Bandook has modules that are capable of capturing video from a victim's webcam.(Citation: EFF Manul Aug 2016)
ConnectWise

ConnectWise can record video on remote hosts.(Citation: Anomali Static Kitten February 2021)
T9000

T9000 uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\Intel\Skype.(Citation: Palo Alto T9000 Feb 2016)
Imminent Monitor

Imminent Monitor has a remote webcam monitoring capability.(Citation: Imminent Unit42 Dec2019)(Citation: QiAnXin APT-C-36 Feb2019)
SDBbot

SDBbot has the ability to record video on a compromised host.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)
Derusbi

Derusbi is capable of capturing video.(Citation: FireEye Periscope March 2018)
Cobian RAT

Cobian RAT has a feature to access the webcam on the victim’s machine.(Citation: Zscaler Cobian Aug 2017)
NanoCore

NanoCore can access the victim's webcam and capture data.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016)
TajMahal

TajMahal has the ability to capture webcam video.(Citation: Kaspersky TajMahal April 2019)
Revenge RAT

Revenge RAT has the ability to access the webcam.(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)
Pupy

Pupy can access a connected webcam and capture pictures.(Citation: GitHub Pupy)
PoetRAT

PoetRAT has used a Python tool named Bewmac to record the webcam on compromised hosts.(Citation: Talos PoetRAT April 2020)
ZxShell

ZxShell has a command to perform video device spying.(Citation: Talos ZxShell Oct 2014)

njRAT

njRAT can access the victim's webcam.(Citation: Fidelis njRAT June 2013)(Citation: Citizen Lab Group5)
QuasarRAT

QuasarRAT can perform webcam viewing.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)
jRAT

jRAT has the capability to capture video from a webcam.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016)
Quick Assist

Quick Assist allows for the remote administrator to view the interactive session of the running machine, including full screen activity.(Citation: Microsoft Quick Assist 2024)(Citation: Microsoft Storm-1811 2024)
WarzoneRAT

WarzoneRAT can access the webcam on a victim's machine.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)
Silence

Silence has been observed making videos of victims to observe bank employees day to day activities.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)
FIN7

FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.(Citation: FireEye FIN7 Aug 2018)(Citation: DOJ FIN7 Aug 2018)
Ember Bear

Ember Bear has exfiltrated images from compromised IP cameras.(Citation: CISA GRU29155 2024)

Контрмеры
Контрмера Описание
Video Capture Mitigation

Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Identify and block potentially malicious software that may be used to capture video and images by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Обнаружение

Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system. Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.

Ссылки

  1. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  2. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  3. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  4. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  5. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  6. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  7. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  8. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  9. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  10. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  11. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  12. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  13. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  14. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  15. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  16. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved November 17, 2024.
  17. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
  18. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  19. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  20. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  21. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  22. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.
  23. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  24. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  25. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  26. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  27. Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
  28. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  29. Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
  30. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  31. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  32. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  33. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  34. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  35. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  36. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  37. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  38. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  39. Microsoft. (2024, September 4). Use Quick Assist to help users. Retrieved March 14, 2025.
  40. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  41. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  42. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  43. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  44. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  45. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  46. Nyan-x-Cat. (n.d.). NYAN-x-CAT / AsyncRAT-C-Sharp. Retrieved October 3, 2023.
  47. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  48. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  49. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  50. Patrick Wardle. (n.d.). Retrieved March 20, 2018.
  51. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  52. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  53. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.