Processes Accessing the Microphone and Webcam

Oct 25, 2022 · attack.collection attack.t1123 ·

Potential adversaries accessing the microphone and webcam in an endpoint.

Sigma rule (View on GitHub)

 1title: Processes Accessing the Microphone and Webcam
 2id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
 3status: test
 4description: Potential adversaries accessing the microphone and webcam in an endpoint.
 5references:
 6    - https://twitter.com/duzvik/status/1269671601852813320
 7    - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
 8author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 9date: 2020/06/07
10modified: 2021/11/27
11tags:
12    - attack.collection
13    - attack.t1123
14logsource:
15    product: windows
16    service: security
17detection:
18    selection:
19        EventID:
20            - 4657
21            - 4656
22            - 4663
23        ObjectName|contains:
24            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged'
25            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged'
26    condition: selection
27falsepositives:
28    - Unknown
29level: medium

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More
Can you track processes accessing the camera and microphone?

In certain investigations, it may arise that you need to find the following:

Read More

Processes Accessing the Microphone and Webcam

Sigma rule (View on GitHub)

References

Can you track processes accessing the camera and microphone?

Related rules