Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0197: Behavior-chain, platform-aware detection strategy for T1125 Video Capture

DET0197 is a MITRE detection strategy for identifying behavior chains associated with T1125 Video Capture, a collection technique where adversaries may use...

EnterpriseDET0197Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0197 is a MITRE detection strategy for identifying behavior chains associated with T1125 Video Capture, a collection technique where adversaries may use cameras, webcams, or video-capable applications to gather information. For leaders, the business issue is not just endpoint malware: unauthorized video capture can expose sensitive meetings, facilities, personnel activity, or regulated information, making it relevant to privacy, insider-risk, incident response, and physical/cyber convergence discussions.

Executive priority

Prioritize this as a validation question for endpoint visibility and privacy-sensitive monitoring: can the organization prove when camera access occurs on Linux, macOS, and Windows systems, and can the SOC distinguish expected conferencing or business use from suspicious collection behavior? This matters for business continuity and compliance evidence because camera misuse may affect executive communications, regulated environments, investigations, and facilities where visual information has operational value.

Technical view

The supplied ATT&CK object has no official description or detection logic, but it detects T1125 Video Capture under the Collection tactic. SOC and detection engineering teams should therefore validate platform-aware coverage for camera or webcam access, image/video file creation, and process/application behavior associated with camera APIs or video-capable applications on Linux, macOS, and Windows. Because legitimate video conferencing and collaboration tools create substantial noise, useful detection will likely depend on behavior-chain context rather than a single camera-access event.

Likely telemetry

  • Endpoint process execution and parent-child process relationships around applications or scripts accessing camera devices or video APIs
  • Operating system privacy, permission, or device-access logs for camera or webcam use where available
  • File creation telemetry for image or video outputs, including periodic image capture patterns where observable
  • Application activity from video call or camera-capable software, especially unusual launches or automation
  • EDR or host telemetry linking camera access to unsigned, uncommon, scripted, or unexpected processes

Detection direction

  • Validate that camera-access telemetry is actually collected across the related T1125 platforms: Linux, macOS, and Windows; do not assume parity between operating systems.
  • Tune detections around behavior chains: unusual process lineage, unexpected camera access, repeated image/video creation, or camera activity outside normal user/application patterns.
  • Account for high false-positive potential from legitimate meeting software, accessibility tools, browser-based conferencing, and approved camera utilities.
  • Use user and asset context to prioritize sensitive systems, executive endpoints, regulated workstations, and devices in facilities where visual information could create cyber-physical risk.
  • Confirm whether detection content maps to T1125 Collection behavior rather than only generic peripheral access alerts.

Mitigation priorities

  • Establish policy and technical controls for which applications may access cameras on managed endpoints.
  • Review operating system privacy and permission settings for camera access, especially on sensitive user groups and assets.
  • Limit unnecessary camera availability on systems where video capture is not required for business operations.
  • Ensure endpoint monitoring and response playbooks include triage steps for suspicious camera access and image/video artifact collection.
  • Use awareness, acceptable-use policy, and compliance evidence to document how camera access is governed and reviewed.
Analyst notes and limits

The strongest use of this object is as a coverage-validation prompt. MITRE identifies DET0197 as a behavior-chain, platform-aware detection strategy for T1125, but the supplied detection strategy fields do not include official detection text. The relationship to T1125 provides the practical anchor: video or image capture through peripherals or applications for information gathering under the Collection tactic.

The detection strategy itself has no official description, no official detection guidance, and no platforms or tactics specified in its own fields. Platform and tactic context comes from the related T1125 technique only. Local telemetry, approved camera-use baselines, endpoint management controls, and privacy requirements are required before drawing conclusions about detection coverage or exposure.

Official MITRE ATT&CK definition

Behavior-chain, platform-aware detection strategy for T1125 Video Capture

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1125 Video Capture This object detects Video Capture.
Relationship explorer

All related ATT&CK context

detects · Technique T1125: Video Capture Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
6760c6438df5ab6c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 6760c6438df5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0197
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use