PowerShell Suspicious Script with Audio Capture Capabilities

  1[metadata]
  2creation_date = "2021/10/19"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/03/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects PowerShell script block content that invokes microphone capture routines or WinMM audio APIs.
 11Adversaries may use audio recording to surveil users or capture sensitive conversations for theft or extortion.
 12"""
 13from = "now-9m"
 14index = ["logs-windows.powershell*", "winlogbeat-*"]
 15language = "kuery"
 16license = "Elastic License v2"
 17name = "PowerShell Suspicious Script with Audio Capture Capabilities"
 18references = ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"]
 19risk_score = 73
 20rule_id = "2f2f4939-0b34-40c2-a0a3-844eb7889f43"
 21severity = "high"
 22tags = [
 23    "Domain: Endpoint",
 24    "OS: Windows",
 25    "Use Case: Threat Detection",
 26    "Tactic: Collection",
 27    "Resources: Investigation Guide",
 28    "Data Source: PowerShell Logs",
 29]
 30timestamp_override = "event.ingested"
 31type = "query"
 32
 33query = '''
 34event.category:process and host.os.type:windows and
 35  powershell.file.script_block_text : (
 36    "Get-MicrophoneAudio" or
 37    ("Get-AudioDevice" and "Recording" and "Set-AudioDevice") or
 38    "WindowsAudioDevice-Powershell-Cmdlet" or
 39    (
 40      "winmm.dll" and
 41      (
 42        "waveInGetNumDevs" or "waveInOpen" or "waveInStart" or
 43        "mciSendString" or "mciSendStringA" or "mciSendStringW"
 44      )
 45    )
 46  ) and
 47  not powershell.file.script_block_text : (
 48    "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
 49  )
 50'''
 51
 52note = """## Triage and analysis
 53
 54### Investigating PowerShell Suspicious Script with Audio Capture Capabilities
 55
 56#### Possible investigation steps
 57
 58- Does the preserved script content show live microphone capture logic rather than inert reference text?
 59  - Focus: the preserved script text on the alert and any associated `file.path`.
 60  - Implication: supports concern when the content invokes recording routines, output paths, duration controls, or upload logic; carries less weight when the text is clearly inert example material, documentation, or recognized test content with no adjacent execution evidence.
 61
 62- Does reconstructing the full script reveal staging, timers, cleanup, or transfer behavior that changes urgency?
 63  - Why: script block logging can split one script across multiple records; later fragments often reveal save locations, loop logic, or exfiltration.
 64  - Focus: `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`, and `powershell.file.script_block_length` to rebuild adjacent fragments, then the reconstructed content for output paths, encoding steps, remote destinations, or cleanup logic. $investigate_0
 65  - Implication: supports active collection when reconstruction shows repeated capture loops, hidden staging paths, compression, upload, persistence, or cleanup after collection.
 66
 67- Does the user-host pairing fit recognized accessibility testing, media tooling, or security assessment?
 68  - Focus: the `user.id` and `host.id` pairing, whether the host role or asset classification supports microphone access, and any prior alert recurrence from this rule for the same pairing and launcher.
 69  - Implication: escalate when the user has no recurring pattern of audio access, the host handles privileged or sensitive workflows, or the timing falls outside scheduled testing.
 70
 71- Can you recover the PowerShell process and explain how it was launched?
 72  - Focus: the matching process start event via `process.pid` and `host.id`, recovering `process.command_line`, `process.parent.executable`, `process.parent.command_line`, and `process.Ext.session_info.logon_type`. $investigate_1
 73  - Hint: if the process event cannot be found, keep later file and network review bounded to the same host and alert time rather than assuming a wider process scope.
 74  - Implication: supports concern when the recovered process is launched by a document, browser, chat client, scheduled task, remote session, or user-writable script path.
 75
 76- Do file events from the same process show recorded audio or staging artifacts?
 77  - Focus: file events for the same `process.entity_id`, with attention to `file.path`, `file.extension`, `file.Ext.header_bytes`, and `file.Ext.original.path` when media files or archives are renamed for staging.
 78  - Implication: supports active collection when media files, deceptive extensions, archives, or renamed payloads appear in user-writable or hidden paths, or when written artifacts are later executed or uploaded.
 79
 80- Do network events show outbound transfer or second-stage behavior from the same process?
 81  - Focus: network events for the same `process.entity_id`, separating `dns.question.name` / `dns.resolved_ip` from `destination.ip` / `destination.port`.
 82  - Implication: suggests follow-on transfer when the same process or host reaches rare public destinations, cloud storage, or messaging services. Missing network telemetry is unresolved, not benign.
 83
 84- If the local evidence stays suspicious, do related alerts or repeated script-block activity suggest broader compromise?
 85  - Focus: related alerts for the same `user.id` to find repeated collection, execution, or defense-evasion activity. $investigate_2
 86  - Hint: compare related alerts for the same `host.id` and repeated preserved script substrings on this asset to look for persistence, repeated collection, follow-on staging, or renamed audio-capture variants. $investigate_3
 87  - Implication: suggests broader compromise when either view shows collection, execution, defense-evasion, persistence, or transfer activity; stays localized when alerts are confined to the known script and host with no repeated collection or follow-on staging.
 88
 89- Escalate when script intent, launch context, artifacts, or network activity align on active collection; close only when all evidence supports a recognized benign workflow; if mixed or incomplete, preserve and escalate.
 90
 91### False positive analysis
 92
 93- Accessibility, QA, or red-team activity can legitimately trigger this rule. Confirm that the script content, writer identity, and host all belong to an authorized workflow.
 94- Before creating an exception, validate that the same `user.id`, `host.id`, `file.path`, and a stable `powershell.file.script_block_text` substring recur across prior alerts. Avoid exceptions on audio API strings alone, `user.name` alone, or the host alone.
 95
 96### Response and remediation
 97
 98- If confirmed benign, reverse any temporary containment and document the script content, recovered launch chain, user-host scope, and any benign file or destination pattern that proved the confirmed workflow. Create an exception only if the same workflow recurs consistently across prior alerts from this rule.
 99- If suspicious but unconfirmed, preserve the reconstructed script content, recovered `process.entity_id`, related `file.path` artifacts, and any `dns.question.name` or `destination.ip` values linked to transfer. Apply reversible containment such as temporary destination blocking or session restrictions. Escalate to host isolation only when active collection or transfer evidence is strong and the host role can tolerate it. Avoid destructive cleanup until scope is clearer.
100- If confirmed malicious, document the recovered `process.entity_id`, `process.command_line`, `process.parent.executable`, written `file.path` artifacts, and any confirmed `dns.question.name` or `destination.ip` values before initiating response actions. Use available endpoint response integrations to isolate the host (preferred over process termination for initial containment when the asset can tolerate it), then block confirmed malicious destinations and scripts. If direct endpoint response is unavailable, escalate with the documented artifacts to the team that can act. If the captured audio may have exposed sensitive conversations or privileged sessions, initiate access review for the affected accounts.
101- If recorded audio files or staging archives are identified, preserve them according to privacy and evidence-handling requirements. Review related users and hosts for the same `powershell.file.script_block_text` content, `file.path` pattern, or `dns.question.name` destinations before eradicating. Then remove the artifacts and any persistence or automation identified during reconstruction or host-scoping.
102- After containment, restrict the execution path that allowed the script to run, such as tightening PowerShell execution policies or script-path allowlists. Retain PowerShell script block logging and related endpoint telemetry.
103"""
104
105setup = """## Setup
106
107PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104).
108Setup instructions: https://ela.st/powershell-logging-setup
109"""
110
111[rule.investigation_fields]
112field_names = [
113    "@timestamp",
114    "user.name",
115    "user.id",
116    "user.domain",
117    "powershell.file.script_block_text",
118    "powershell.file.script_block_id",
119    "powershell.sequence",
120    "powershell.total",
121    "file.path",
122    "file.directory",
123    "file.name",
124    "process.pid",
125    "host.name",
126    "host.id",
127    "powershell.file.script_block_length"
128]
129
130[[transform.investigate]]
131label = "Script block fragments for the same script"
132description = ""
133providers = [
134  [
135    { excluded = false, field = "powershell.file.script_block_id", queryType = "phrase", value = "{{powershell.file.script_block_id}}", valueType = "string" },
136    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
137  ]
138]
139relativeFrom = "now-1h"
140relativeTo = "now"
141
142[[transform.investigate]]
143label = "Process events for the PowerShell instance"
144description = ""
145providers = [
146  [
147    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" },
148    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
149    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
150  ]
151]
152relativeFrom = "now-1h"
153relativeTo = "now"
154
155[[transform.investigate]]
156label = "Alerts associated with the user"
157description = ""
158providers = [
159  [
160    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
161    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
162  ]
163]
164relativeFrom = "now-48h/h"
165relativeTo = "now"
166
167[[transform.investigate]]
168label = "Alerts associated with the host"
169description = ""
170providers = [
171  [
172    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
173    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
174  ]
175]
176relativeFrom = "now-48h/h"
177relativeTo = "now"
178
179[[rule.threat]]
180framework = "MITRE ATT&CK"
181
182[[rule.threat.technique]]
183id = "T1123"
184name = "Audio Capture"
185reference = "https://attack.mitre.org/techniques/T1123/"
186
187[rule.threat.tactic]
188id = "TA0009"
189name = "Collection"
190reference = "https://attack.mitre.org/tactics/TA0009/"
191
192[[rule.threat]]
193framework = "MITRE ATT&CK"
194
195[[rule.threat.technique]]
196id = "T1059"
197name = "Command and Scripting Interpreter"
198reference = "https://attack.mitre.org/techniques/T1059/"
199
200[[rule.threat.technique.subtechnique]]
201id = "T1059.001"
202name = "PowerShell"
203reference = "https://attack.mitre.org/techniques/T1059/001/"
204
205[[rule.threat.technique]]
206id = "T1106"
207name = "Native API"
208reference = "https://attack.mitre.org/techniques/T1106/"
209
210[rule.threat.tactic]
211id = "TA0002"
212name = "Execution"
213reference = "https://attack.mitre.org/tactics/TA0002/"
214
215[[rule.threat]]
216framework = "MITRE ATT&CK"
217
218[[rule.threat.technique]]
219id = "T1120"
220name = "Peripheral Device Discovery"
221reference = "https://attack.mitre.org/techniques/T1120/"
222
223[rule.threat.tactic]
224id = "TA0007"
225name = "Discovery"
226reference = "https://attack.mitre.org/tactics/TA0007/"