Suspicious Camera and Microphone Access

Aug 12, 2024 · attack.collection attack.t1125 attack.t1123 ·

Detects Processes accessing the camera and microphone from suspicious folder

Sigma rule (View on GitHub)

 1title: Suspicious Camera and Microphone Access
 2id: 62120148-6b7a-42be-8b91-271c04e281a3
 3status: test
 4description: Detects Processes accessing the camera and microphone from suspicious folder
 5references:
 6    - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
 7author: Den Iuzvyk
 8date: 2020-06-07
 9modified: 2022-10-09
10tags:
11    - attack.collection
12    - attack.t1125
13    - attack.t1123
14logsource:
15    category: registry_event
16    product: windows
17detection:
18    selection_1:
19        TargetObject|contains|all:
20            - '\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\'
21            - '\NonPackaged'
22    selection_2:
23        TargetObject|contains:
24            - microphone
25            - webcam
26    selection_3:
27        TargetObject|contains:
28            - ':#Windows#Temp#'
29            - ':#$Recycle.bin#'
30            - ':#Temp#'
31            - ':#Users#Public#'
32            - ':#Users#Default#'
33            - ':#Users#Desktop#'
34    condition: all of selection_*
35falsepositives:
36    - Unlikely, there could be conferencing software running from a Temp folder accessing the devices
37level: high

References

Can you track processes accessing the camera and microphone?

In certain investigations, it may arise that you need to find the following:

Read More

Suspicious Camera and Microphone Access

Sigma rule (View on GitHub)

References

Can you track processes accessing the camera and microphone?

Related rules