This analytic detects the use of FFmpeg (ffmpeg.exe) to enumerate connected audio and video devices on a Windows endpoint. Adversaries and stealers such as SalatStealer abuse FFmpeg's DirectShow (dshow) input interface by invoking it with the -list_devices true and -hide_banner flags from a temporary directory, allowing them to silently discover available webcams, microphones, and capture cards without triggering obvious user-facing activity. Device discovery of this kind maps to MITRE ATT&CK T1125 (Video Capture), where threat actors profile the system's multimedia capabilities as a precursor to covert audio or video surveillance. The combination of an unusual process path (temp), the dshow input filter, and the device-listing arguments is a strong indicator of malicious reconnaissance rather than legitimate administrative use.