AN0569: Analytic 0569
A process opens/reads /dev/video* (V4L2), performs ioctl/read loops, writes large/continuous video artifacts to disk, and/or quickly establishes outbound connections for exfiltration.
Analyst context for executives and security teams
This analytic highlights a Linux behavior pattern consistent with webcam or video-device access followed by local capture and possible outbound transfer. For leaders, the value is not attribution; it is validating whether the organization can see and investigate unauthorized use of video-capable endpoints or embedded Linux systems, especially where cameras intersect with privacy, facility operations, regulated environments, or cyber-physical risk.
Executive priority
Prioritize this as a visibility and control question for Linux systems with attached or built-in cameras. Security leaders should ask which business processes legitimately access /dev/video* devices, whether SOC teams can distinguish approved video workloads from suspicious capture activity, and whether incident responders have evidence for privacy, compliance, and operational-impact decisions if unauthorized video collection is suspected.
Technical view
On Linux, validate monitoring for processes that open or read /dev/video* V4L2 devices, perform repeated ioctl/read activity, create large or continuous video artifacts on disk, and then initiate outbound network connections. Because no ATT&CK tactic or official detection logic is supplied, teams should treat this as a behavioral analytic seed and tune it against local baselines such as conferencing tools, camera services, media pipelines, surveillance software, and legitimate streaming agents.
Likely telemetry
- Linux process execution and parent/child process context
- File access events for /dev/video* device nodes
- System call or audit telemetry for open/read/ioctl activity against video devices
- File creation and write telemetry for large or continuous video artifacts
- Outbound network connection metadata from the same process or process lineage
Detection direction
- Baseline approved Linux processes and users that access /dev/video* before alerting broadly.
- Correlate video-device access with sustained reads, large media file writes, or rapid outbound connections to reduce noise.
- Investigate process lineage, execution path, user context, and whether the host is expected to perform video capture.
- Tune for common benign sources such as video conferencing, browser media access, camera diagnostics, surveillance software, and legitimate streaming tools.
- Identify blind spots where endpoint telemetry does not capture device-node access, ioctl activity, or process-to-network correlation.
Mitigation priorities
- Maintain an inventory of Linux systems with video devices and document approved camera-use cases.
- Restrict camera device access to authorized users, services, and workloads where operationally feasible.
- Apply least privilege and hardening controls around services that legitimately access /dev/video* devices.
- Ensure endpoint, audit, and network telemetry can support incident reconstruction for suspected unauthorized capture or exfiltration.
- Use monitoring results as compliance and privacy evidence where camera access is regulated or business-sensitive.
Analyst notes and limits
This object is a detection analytic, not a technique description. The supplied ATT&CK fields provide a Linux platform and a behavior description involving V4L2 device access, video artifact creation, and possible outbound transfer. There are no supplied relationships, tactics, groups, software, mitigations, or official detection text, so all recommendations should be validated against local system roles and approved camera workflows.
No official detection logic, tactic mapping, relationship context, attribution, or exploitation evidence was supplied. This take should not be interpreted as proof of malicious activity or guaranteed detection coverage; local telemetry depth and baselining determine usefulness.
Analytic 0569
A process opens/reads /dev/video* (V4L2), performs ioctl/read loops, writes large/continuous video artifacts to disk, and/or quickly establishes outbound connections for exfiltration.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | dc0fd9b1edbc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0569Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.