Linux Audio Recording Activity Detected
This rule monitors for the usage of the most common audio recording utilities on unix systems by an uncommon process parent. Adversaries may collect audio data from users or systems for a variety of reasons including espionage, credential theft, or reconnaissance.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/01/07"
3integration = ["endpoint", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2026/01/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule monitors for the usage of the most common audio recording utilities on unix systems by an uncommon process parent.
11Adversaries may collect audio data from users or systems for a variety of reasons including espionage, credential theft, or reconnaissance.
12"""
13from = "now-9m"
14index = [
15 "logs-endpoint.events.process*",
16 "logs-sentinel_one_cloud_funnel.*",
17 "endgame-*",
18 ]
19language = "kuery"
20license = "Elastic License v2"
21name = "Linux Audio Recording Activity Detected"
22risk_score = 21
23rule_id = "3ee526ce-1f26-45dd-9358-c23100d1121f"
24severity = "low"
25tags = [
26 "Domain: Endpoint",
27 "OS: Linux",
28 "Use Case: Threat Detection",
29 "Tactic: Collection",
30 "Data Source: Elastic Defend",
31 "Data Source: Elastic Endgame",
32 "Data Source: SentinelOne",
33]
34timestamp_override = "event.ingested"
35type = "new_terms"
36query = '''
37event.category:process and host.os.type:"linux" and event.type:"start" and event.action:("exec" or "exec_event" or "start") and (
38 process.name:("arecord" or "parec" or "pw-record" or "ecasound") or
39 (process.name:"pw-cat" and process.args:"-r") or
40 (process.name:"ffmpeg" and process.args:"-i")
41) and
42not process.args:("-h" or "--help" or "--version")
43'''
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47
48[[rule.threat.technique]]
49id = "T1123"
50name = "Audio Capture"
51reference = "https://attack.mitre.org/techniques/T1123/"
52
53[rule.threat.tactic]
54id = "TA0009"
55name = "Collection"
56reference = "https://attack.mitre.org/tactics/TA0009/"
57
58[rule.new_terms]
59field = "new_terms_fields"
60value = ["agent.id", "process.parent.executable"]
61
62[[rule.new_terms.history_window_start]]
63field = "history_window_start"
64value = "now-5d"
Related rules
- Linux Video Recording or Screenshot Activity Detected
- Sensitive Files Compression
- Linux Clipboard Activity Detected
- Potential Data Exfiltration Through Wget
- System Information Discovery via dmidecode from Parent Shell