Skip to content

Latest commit

 

History

History
55 lines (35 loc) · 2.35 KB

T1123.md

File metadata and controls

55 lines (35 loc) · 2.35 KB

T1123 - Audio Capture

An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

Detection: Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.

Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.

Platforms: Linux, macOS, Windows

Data Sources: API monitoring, Process monitoring, File monitoring

Permissions Required: User

Atomic Tests


Atomic Test #1 - SourceRecorder via Windows command prompt

Create a file called test.wma, with the duration of 30 seconds

Supported Platforms: Windows

Inputs

Name Description Type Default Value
output_file Path to the recording file being captured Path test.wma
duration_hms Duration of audio to be recorded (in h:m:s format) Path 30

Run it with command_prompt!

SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}


Atomic Test #2 - PowerShell Cmdlet via Windows command prompt

AudioDeviceCmdlets

Supported Platforms: Windows

Run it with command_prompt!

powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet