Detection rules › Splunk
Windows Gather Victim Host Information Camera
The following analytic detects a PowerShell script that enumerates camera devices on the targeted host. This detection leverages PowerShell Script Block Logging, specifically looking for commands querying Win32_PnPEntity for camera-related information. This activity is significant as it is commonly observed in DCRat malware, which collects camera data to send to its command-and-control server. If confirmed malicious, this behavior could indicate an attempt to gather sensitive visual information from the host, potentially leading to privacy breaches or further exploitation.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Reconnaissance | T1592.001 Gather Victim Host Information: Hardware |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| PowerShell | 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Stages and Predicates
Stage 1: search
search EventCode=4104 ScriptBlockText="* Win32_PnPEntity *" ScriptBlockText="*PNPClass*" ScriptBlockText="*SELECT*" ScriptBlockText="*WHERE*" ScriptBlockText IN ("*Camera*", "*Image*")
Stage 2: fillnull
fillnull
Stage 3: stats
stats BY dest, signature, signature_id, user_id, vendor_product, EventID, Guid, Opcode, Name, Path, ProcessID, ScriptBlockId, ScriptBlockText
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ScriptBlockText | eq |
|
ScriptBlockText | in |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Potential PowerShell Obfuscation via Invalid Escape Sequences (drops 6 filters this rule applies)
- Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (drops 6 filters this rule applies)
- Potential PowerShell Obfuscation via Character Array Reconstruction (drops 6 filters this rule applies)
- Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (drops 6 filters this rule applies)
- Potential PowerShell Obfuscation via High Numeric Character Proportion (drops 6 filters this rule applies)
- Potential Dynamic IEX Reconstruction via Environment Variables (drops 6 filters this rule applies)
- Dynamic IEX Reconstruction via Method String Access (drops 6 filters this rule applies)
- PowerShell Obfuscation via Negative Index String Reversal (drops 6 filters this rule applies)
- Potential PowerShell Obfuscation via Reverse Keywords (drops 6 filters this rule applies)
- Potential PowerShell Obfuscation via String Concatenation (drops 6 filters this rule applies)
- Potential PowerShell Obfuscation via String Reordering (drops 6 filters this rule applies)
- Potential PowerShell Obfuscation via Special Character Overuse (drops 6 filters this rule applies)
- PowerShell 4104 Hunting (drops 5 filters this rule applies)