Low RiskWindows

obs64.exeEXECUTABLE

OBS Studio - Open Broadcaster Software Analysis [2026]

OBS Studio is open-source broadcasting and recording software. While legitimate, attackers may abuse it for screen recording, credential capture, and surveillance of victims.

1viewsLast verified: Jan 18, 2025

Risk Summary

## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Low | | Abuse Potential | Medium | | Prevalence | Very Common | | Risk Score | 35/100 | OBS Studio is a legitimate streaming tool that can potentially be abused for surveillance and screen capture.

What is obs64.exe?

OBS Studio (Open Broadcaster Software) is a free, open-source software for video recording and live streaming.

Key Characteristics

Attribute	Value
File Name	obs64.exe, obs32.exe
Developer	OBS Project
Digital Signature	OBS Project
Typical Size	150-250 MB (installed)
Type	Streaming/Recording

Technical Details

Property	Description
Process Type	User Application
Network Activity	Streaming protocols (RTMP, SRT)
GPU Usage	High during encoding
Plugins	Extensible via plugins

OBS is the most popular open-source streaming software used by millions of content creators.

Normal Behavior

Legitimate Usage Patterns

obs64.exe  (Main application)
obs-browser-page.exe  (Browser source)
obs-ffmpeg-mux.exe  (Video muxer)

Expected Characteristics

Aspect	Expected Behavior
Parent Process	explorer.exe
User Context	Current user
Network	Streaming services (Twitch, YouTube)
GPU Usage	Moderate to high
Instances	Usually single

Common Network Destinations

Service	Purpose
Twitch.tv	Live streaming
YouTube	Live streaming
Facebook	Live streaming
Custom RTMP	Personal servers

C:\Program Files\obs-studio\bin\64bit\obs64.exeC:\Program Files (x86)\obs-studio\bin\32bit\obs32.exe

Suspicious Indicators

Red Flags

Indicator	Concern Level	Description
Headless operation	High	Running without GUI
Unknown stream targets	High	Streaming to unusual servers
Installed without consent	Medium	User unaware of installation
Recording without UI	High	Silent screen recording
Startup persistence	Medium	Auto-starting unexpectedly

Suspicious Patterns

Concerning Behaviors:
- OBS running minimized or hidden
- Streaming to non-standard RTMP servers
- Recording to hidden directories
- Running under unusual user account
- Plugin directories with unknown DLLs

Surveillance Indicators

Pattern	Concern
Persistent recording	Surveillance
Upload to unknown server	Data exfiltration
Capturing specific windows	Credential theft
Running as startup	Persistent surveillance

Abuse Techniques

Screen Surveillance

Attack Scenario:
1. Install OBS silently on target
2. Configure to record desktop continuously
3. Set up auto-upload or streaming to C2
4. Capture credentials, sensitive info
5. Exfiltrate recordings

Credential Capture

Credential Recording:
1. Configure OBS to capture specific windows
2. Record banking, email, password manager
3. Capture keystrokes visible on screen
4. Extract credentials from recordings

Video Exfiltration

Method	Implementation
RTMP Stream	Stream to attacker server
Local Recording	Save then exfiltrate
Scheduled Recording	Record at specific times
Window Capture	Target specific applications

Silent Operation

:: Start OBS minimized with recording
obs64.exe --startrecording --minimize-to-tray

:: Configure via scene collection
obs64.exe --scene "Surveillance" --startrecording

Detection Guidance

Sysmon Configuration

<RuleGroup name="OBS Monitoring" groupRelation="or">
  <ProcessCreate onmatch="include">
    <Image condition="contains">obs</Image>
  </ProcessCreate>
  <NetworkConnect onmatch="include">
    <Image condition="contains">obs</Image>
    <DestinationPort condition="is">1935</DestinationPort>
  </NetworkConnect>
</RuleGroup>

Sigma Rule

title: OBS Studio Suspicious Execution
status: experimental
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|contains: 'obs'
  suspicious:
    CommandLine|contains:
      - '--startrecording'
      - '--minimize'
      - '--scene'
  condition: selection and suspicious
  falsepositives:
    - Automated streaming setup
  level: medium

KQL Query

DeviceProcessEvents
| where FileName in~ ("obs64.exe", "obs32.exe")
| where ProcessCommandLine has_any ("--startrecording", "--minimize", "--scene")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName

// RTMP connections from OBS
DeviceNetworkEvents
| where InitiatingProcessFileName contains "obs"
| where RemotePort == 1935
| project Timestamp, DeviceName, RemoteIP, RemoteUrl

Remediation Steps

Assessment

# Find OBS installations
Get-ChildItem -Path "C:\Program Files*" -Recurse -Filter "obs*.exe" -ErrorAction SilentlyContinue

# Check for recordings
Get-ChildItem -Path $env:USERPROFILE\Videos -Filter "*.mkv","*.mp4" -Recurse

# Check startup entries
Get-CimInstance Win32_StartupCommand | Where-Object { $_.Command -like "*obs*" }

Investigation

Check	Purpose
Installation date	Unauthorized install?
Recording location	Where are files saved?
Stream targets	Who receives stream?
Startup entries	Persistence mechanism?

Policy

Context	Response
Approved user	Normal usage
Unknown installation	Investigate source
Silent recording	Security incident

T1113 - Screen Capture T1125 - Video Capture

OBS Studio - Open Broadcaster Software Analysis [2026]

Risk Summary

Overview

What is obs64.exe?

Key Characteristics

Technical Details

Normal Behavior

Normal Behavior

Legitimate Usage Patterns

Expected Characteristics

Common Network Destinations

Common Locations

Suspicious Indicators

Suspicious Indicators

Red Flags

Suspicious Patterns

Surveillance Indicators

Abuse Techniques

Abuse Techniques

Screen Surveillance

Credential Capture

Video Exfiltration

Silent Operation

Detection Guidance

Detection Guidance

Sysmon Configuration

Sigma Rule

KQL Query

Remediation Steps

Remediation Steps

Assessment

Investigation

Policy

Investigation Checklist

Investigation Checklist

Installation Analysis

Configuration Review

Activity Analysis

Network Investigation

MITRE ATT&CK Techniques