This anomaly rule detects active video capture performed by FFmpeg (ffmpeg.exe) via the Windows DirectShow (dshow) interface. The pattern begins with enumerating available DirectShow devices, followed by launching FFmpeg with a command that uses video= (a named webcam device), requests MJPEG encoding (mjpeg), and applies the dshow input filter. The invocation is executed from a temporary directory to reduce forensics footprint. This sequence moves from discovery into active collection (Video Capture per MITRE ATT&CK T1125). The presence of ffmpeg.exe in a temp path alongside DirectShow video arguments is highly anomalous outside of legitimate multimedia or screen-recording software, providing a strong signal of covert surveillance activity. The rule triangulates telemetry from Sysmon EventID 1, Windows Security Event 4688, and CrowdStrike ProcessRollup2 to flag such activity; the detection maps to endpoint data model fields for the Processes entity and correlates to the SalatStealer-related campaign pattern described in the rule. The analytic is conservatively scoped with known false positives in administrative usage; exceptions should be tuned to allow legitimate multimedia software while maintaining detection of covert capture attempts.