AN0568: Analytic 0568

A non-standard process (or script-hosted process) loads camera/video-capture libraries (e.g., avicap32.dll, mf.dll, ksproxy.ax), opens the Camera Frame Server/device, writes video/image artifacts (e.g., .mp4/.avi/.yuv) to unusual locations, and optionally initiates outbound transfer shortly after.

EnterpriseAN0568AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic is about spotting unusual Windows processes that appear to access camera or video-capture components, create video or image files in unexpected locations, and possibly send data out soon afterward. For leaders, the practical concern is not just malware detection; it is whether the organization can prove when endpoint sensors, privacy-sensitive devices, or regulated workstations are being used in abnormal ways.

Executive priority

Prioritize this where Windows endpoints have cameras, handle sensitive conversations or regulated data, support executives, or operate in environments where privacy and cyber-physical trust matter. The business question is whether security teams can distinguish approved conferencing, recording, and media workflows from unexpected camera access, and whether incident responders have enough endpoint, file, and network evidence to investigate quickly.

Technical view

Validate coverage on Windows for non-standard or script-hosted processes loading camera/video-capture libraries such as avicap32.dll, mf.dll, or ksproxy.ax; opening Camera Frame Server or camera device interfaces; writing media artifacts such as .mp4, .avi, or .yuv to unusual paths; and initiating outbound transfer soon after. Because no official detection logic or tactic mapping is supplied, teams should treat this as an analytic pattern to operationalize and tune against known-good business applications.

Likely telemetry

Windows process creation and parent-child process telemetry
Module or library load telemetry for camera/video-capture components
Device access or Camera Frame Server activity where available
File creation telemetry for video/image artifacts and unusual write locations
Network connection or outbound transfer telemetry shortly after media file creation

Detection direction

Build correlation rather than relying on a single signal: unusual process plus camera library/device access plus media file creation plus optional outbound network activity is stronger than any one event alone.
Baseline approved video tools, browser conferencing, collaboration software, recording utilities, and enterprise support tools to reduce false positives.
Pay attention to script-hosted or uncommon parent processes, because the analytic specifically calls out non-standard and script-hosted processes.
Tune path-based logic carefully: 'unusual locations' must be defined locally using endpoint role, user workflow, and approved application behavior.
Validate whether endpoint tooling actually records module loads, camera/device access, and file creation metadata; many environments collect process and network logs but lack reliable device-access visibility.

Mitigation priorities

Inventory legitimate camera and video-capture use cases on Windows endpoints before enforcing controls.
Restrict or govern camera access through operating system, endpoint management, and application control policies where business operations allow.
Use application control or execution policy to reduce unauthorized script-hosted or non-standard processes accessing sensitive device capabilities.
Ensure endpoint detection and response, file monitoring, and network telemetry are retained long enough to support incident response timelines.
Document approved monitoring and privacy controls for audit and compliance evidence, especially for executive, regulated, or sensitive workstations.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique, and it has no supplied relationship context, tactic mapping, or official detection logic. The description supports a Windows-focused analytic pattern around camera/video-capture library loading, camera access, media artifact creation, and possible outbound transfer. Local baselining is essential because legitimate conferencing and recording applications can produce similar signals.

This take uses only the provided STIX fields and external reference. It does not establish adversary attribution, active exploitation, business impact, or guaranteed detection coverage. No relationships were supplied, so technique linkage and broader ATT&CK context cannot be asserted from this object alone.

Official MITRE ATT&CK definition

Analytic 0568

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 4ae7bd668cbe4e18...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`4ae7bd668cbe…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0568
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use