Detection of Audio Capture Attack with Splunk Detection Rule
Detection of Audio Capture Attack
ID: T1123
Tactic: Collection
Platform: Linux, macOS, Windows
An adversary can leverage a computer’s peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening to sensitive conversations to gather information.
Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
Mitigation
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Detection of Audio Capture Attack
Detection of Audio Capture Attack may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used but may provide context to other potentially malicious activity occurring on a system.
Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.
This Splunk Detection rule can be converted to SIGMA rule and applied to many log management or SIEM systems and can even be used with grep on the command line.
The resource of Detection of Audio Capture Attack:
“index=windows SourceName=””Microsoft-Windows-PowerShell”” “”*WindowsAudioDevice-Powershell-Cmdlet*”” //use voice cmdlet in powershell index=windows source=””WinEventLog:Microsoft-Windows-Sysmon/Operational”” (EventCode=1 Image=””*\\explorer.exe”” CommandLine=””*WindowsSoundRecorder*””) OR (EventCode=1 Image=””*\\soundrec.exe””) // soundrecorder started with this command: explorer.exe shell:appsFolder\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe!App
index=windows source=””WinEventLog:Microsoft-Windows-Sysmon/Operational”” (EventCode=1 CommandLine=””*/DURATION*””) OR (EventCode=1 CommandLine=””*/FILE*””) // check all commandlines that used /DURATION and /FILE as a output file in it”
Secure Your Organization’s Mind with Securebug.se