heroui logo

Windows Gather Victim Host Information Camera

Splunk Security Content

View Source
Summary
This detection rule identifies potentially malicious PowerShell commands that enumerate camera devices on a host by querying the Win32_PnPEntity. The rule uses PowerShell Script Block Logging to capture relevant command execution patterns typically associated with the DCRat malware, which exploits system cameras to gather sensitive visual information. The detection searches for the presence of scripts containing specific terms related to device querying, such as 'Win32_PnPEntity', 'SELECT', and 'WHERE', and emphasizes the importance of monitoring this behavior to prevent privacy breaches and further exploitation by threat actors. Organizations are advised to enable PowerShell Script Block Logging for effective detection execution and implement necessary security measures if any suspicious activity is observed. Additionally, administrators should be aware of potential false positives when legitimate hardware information queries occur.
Categories
  • Endpoint
Data Sources
  • Pod
  • Pod
ATT&CK Techniques
  • T1592.001
  • T1592
Created: 2024-11-13