Audio Capture via SoundRecorder

Aug 12, 2024 · attack.collection attack.t1123 ·

Detect attacker collecting audio via SoundRecorder application.

Sigma rule (View on GitHub)

 1title: Audio Capture via SoundRecorder
 2id: 83865853-59aa-449e-9600-74b9d89a6d6e
 3status: test
 4description: Detect attacker collecting audio via SoundRecorder application.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md
 7    - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
 8author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 9date: 2019-10-24
10modified: 2021-11-27
11tags:
12    - attack.collection
13    - attack.t1123
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\SoundRecorder.exe'
20        CommandLine|contains: '/FILE'
21    condition: selection
22falsepositives:
23    - Legitimate audio capture by legitimate user.
24level: medium

References

atomic-red-team/atomics/T1123/T1123.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Audio Capture via SoundRecorder

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1123/T1123.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Audio Capture via SoundRecorder — EQL Analytics Library documentation

Related rules