Audio Capture via SoundRecorder
Detect attacker collecting audio via SoundRecorder application.
Sigma rule (View on GitHub)
1title: Audio Capture via SoundRecorder
2id: 83865853-59aa-449e-9600-74b9d89a6d6e
3status: test
4description: Detect attacker collecting audio via SoundRecorder application.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md
7 - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
8author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
9date: 2019/10/24
10modified: 2021/11/27
11tags:
12 - attack.collection
13 - attack.t1123
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\SoundRecorder.exe'
20 CommandLine|contains: '/FILE'
21 condition: selection
22falsepositives:
23 - Legitimate audio capture by legitimate user.
24level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Related rules
- Audio Capture
- Linux Capabilities Discovery
- Processes Accessing the Microphone and Webcam
- Suspicious Camera and Microphone Access
- Compress Data and Lock With Password for Exfiltration With WINZIP