Detection: Windows FFmpeg DirectShow Video Capture

Updated Date: 2026-05-20 ID: 636f1a0b-562a-4629-80f6-5ad46d2ebdee Author: Teoderick Contreras, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

This analytic detects active video capture performed by FFmpeg (ffmpeg.exe) via the Windows DirectShow (dshow) interface, a technique observed in SalatStealer and related UAC-0252 campaigns. After enumerating available devices, threat actors invoke FFmpeg with a specific video capture command that references a named webcam device (video=), requests MJPEG encoding (mjpeg), and uses the dshow input filter — all from a temporary directory to reduce forensic footprint. This sequence moves beyond reconnaissance into active collection, aligning with MITRE ATT&CK T1125 (Video Capture), where adversaries silently record from the victim's webcam to gather intelligence or capture sensitive on-screen activity. The presence of ffmpeg.exe in a temp path combined with these DirectShow video arguments is highly anomalous outside of dedicated multimedia or screen-recording software, making it a strong signal of covert surveillance activity.

Search

 1
 2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
 3      WHERE (
 4              (
 5                Processes.process_name = ffmpeg.exe OR
 6                Processes.original_file_name = ffmpeg.exe
 7              ) AND
 8
 9              Processes.process_path IN ("*\\temp\\*") AND
10              Processes.process = "*video=*" AND
11              Processes.process = "* mjpeg *" AND
12              Processes.process = "* dshow *"
13            )
14      BY Processes.action Processes.dest Processes.original_file_name
15        Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
16        Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
17        Processes.process Processes.process_exec Processes.process_guid
18        Processes.process_hash Processes.process_id Processes.process_integrity_level
19        Processes.process_name Processes.process_path Processes.user
20        Processes.user_id Processes.vendor_product
21    
22| `drop_dm_object_name(Processes)`
23    
24| `security_content_ctime(firstTime)`
25    
26| `security_content_ctime(lastTime)`
27
28| `windows_ffmpeg_directshow_video_capture_filter`

Data Source

Name	Platform	Sourcetype	Source
CrowdStrike ProcessRollup2	Other	`'crowdstrike:events:sensor'`	`'crowdstrike'`
Sysmon EventID 1	Windows	`'XmlWinEventLog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`
Windows Event Log Security 4688	Windows	`'XmlWinEventLog'`	`'XmlWinEventLog:Security'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
windows_ffmpeg_directshow_video_capture_filter	`search *`

windows_ffmpeg_directshow_video_capture_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1125	Video Capture	Collection

Exploitation

DE.AE

CIS 10

FIN7

Silence

VOID MANTICORE

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Finding (Notable)	No
Creates Intermediate Finding (Risk Event)	Yes

Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.

Implementation

The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.

Known False Positives

Administrators or administrative scripts may use this application. Filter as needed.

Associated Analytic Story

Salat Stealer

Intermediate Findings

Message	Entity Field	Entity Type	Risk Score
a ffmpeg.exe process [$process_path$] capture video using DirectShow on [$dest$].	dest	system	20

Threat Objects

Field	Type
process	process
process_name	process_name
parent_process_name	parent_process_name

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1