T1123: Audio Capture
An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.
Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
— Monitoring of events related to execution of WindowsAudioDevice-Powershell-Cmdlet and Get-MicrophoneAudio. — Monitoring of events related to adding registry keys to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\Microphone. — Monitoring of process-start events which command line contains copy operations for files located in the %APPDATA%\Intel\Skype directory.
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls associated with leveraging a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions that can leverage a computer’s peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. |
---|