T1123

Audio Capture

Adversaries may leverage a computer's peripheral devices (e.g., microphones) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations. Malware or scripts interact with audio devices through OS APIs or application APIs to capture and record audio. Recorded files may be written to disk in staging directories and subsequently exfiltrated. Known malware families using this technique include Flame, ROKRAT, Bandook, VERMIN, TajMahal, Pupy, EvilGrab, LightSpy, Cadelspy, NanoCore, Crimson, MacMa, T9000, and Machete. PowerSploit's Get-MicrophoneAudio module provides an open-source implementation commonly repurposed by attackers.

Microsoft Sentinel / Defender

kusto

let AudioCaptureDlls = dynamic(["winmm.dll", "audioses.dll", "avrt.dll", "dsound.dll", "mfplat.dll"]);
let LegitAudioProcesses = dynamic([
  "audiodg.exe", "svchost.exe", "wmplayer.exe", "groove.exe", "msiexec.exe",
  "teams.exe", "ms-teams.exe", "zoom.exe", "zoomwebviewhost.exe",
  "skype.exe", "skypehost.exe", "skypebridge.exe",
  "discord.exe", "slack.exe", "webex.exe",
  "chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe",
  "spotify.exe", "vlc.exe", "mpv.exe", "SoundRecorder.exe",
  "RuntimeBroker.exe", "ShellExperienceHost.exe", "SearchHost.exe",
  "SystemSettings.exe", "explorer.exe"
]);
let AudioExtensions = dynamic([".wav", ".mp3", ".wma", ".ogg", ".flac", ".aac", ".m4a", ".raw"]);
let SuspiciousStagingPaths = dynamic([
  "\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\Intel\\",
  "\\AppData\\Roaming\\Microsoft\\Windows\\",
  "\\Users\\Public\\", "\\ProgramData\\", "\\Windows\\Temp\\",
  "\\Windows\\Tasks\\", "\\Recycle"
]);
union
(
    DeviceImageLoadEvents
    | where Timestamp > ago(24h)
    | where FileName in~ (AudioCaptureDlls)
    | where not (InitiatingProcessFileName in~ (LegitAudioProcesses))
    | where not (InitiatingProcessFolderPath has_any ("\\Program Files\\", "\\Program Files (x86)\\", "\\Windows\\System32\\", "\\Windows\\SysWOW64\\"))
    | extend DetectionType = "SuspiciousAudioDllLoad"
    | extend Detail = strcat("Process loaded audio DLL: ", FileName)
    | project Timestamp, DeviceName, AccountName, DetectionType, Detail,
              ProcessName = InitiatingProcessFileName,
              CommandLine = InitiatingProcessCommandLine,
              ProcessPath = InitiatingProcessFolderPath
),
(
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType == "FileCreated"
    | where FileName has_any (AudioExtensions)
    | where FolderPath has_any (SuspiciousStagingPaths)
    | where not (InitiatingProcessFileName in~ (LegitAudioProcesses))
    | extend DetectionType = "AudioFileStagedInSuspiciousPath"
    | extend Detail = strcat("Audio file created: ", FolderPath)
    | project Timestamp, DeviceName, AccountName, DetectionType, Detail,
              ProcessName = InitiatingProcessFileName,
              CommandLine = InitiatingProcessCommandLine,
              ProcessPath = InitiatingProcessFolderPath
),
(
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has_any (
        "Get-MicrophoneAudio", "WaveInEvent", "WaveFileWriter", "NAudio",
        "mciSendString", "waveInOpen", "AudioCapture", "MicCapture",
        "dshow\", \"audio=", "-f dshow", "avfoundation",
        "WindowsAudioDevice", "CoreAudio", "AVAudioRecorder"
      )
    | extend DetectionType = "AudioCaptureToolUsage"
    | extend Detail = strcat("Audio capture keyword in command line: ", ProcessCommandLine)
    | project Timestamp, DeviceName, AccountName, DetectionType, Detail,
              ProcessName = FileName,
              CommandLine = ProcessCommandLine,
              ProcessPath = FolderPath
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Module: Module Load File: File Creation Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceImageLoadEvents DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate audio/video conferencing software (Teams, Zoom, Webex, Discord) loading audio DLLs from non-standard install paths or as part of update processes
Media production software (Audacity, Adobe Audition, OBS, DAWs) creating audio files in user-defined output directories that overlap with staging path heuristics
Voice recognition software (Dragon NaturallySpeaking, Windows Cortana/Speech services) continuously accessing audio APIs in the background
Game software or streaming tools (OBS, XSplit) that capture system audio via DirectSound or WASAPI for game capture
Podcast or screencasting tools recording audio to AppData as their default output path
Security testing or red team exercises using PowerSploit or atomic-red-team audio test scripts

Splunk

spl

index=wineventlog (
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
  (EventCode=7 OR EventCode=11 OR EventCode=1)
)
| eval is_audio_dll_load=if(
    EventCode=7 AND (
      match(ImageLoaded, "(?i)\\\\winmm\.dll$") OR
      match(ImageLoaded, "(?i)\\\\audioses\.dll$") OR
      match(ImageLoaded, "(?i)\\\\avrt\.dll$") OR
      match(ImageLoaded, "(?i)\\\\dsound\.dll$") OR
      match(ImageLoaded, "(?i)\\\\mfplat\.dll$")
    ) AND NOT (
      match(Image, "(?i)(audiodg|svchost|wmplayer|groove|teams|ms-teams|zoom|skype|discord|slack|webex|chrome|msedge|firefox|iexplore|spotify|vlc|RuntimeBroker|ShellExperienceHost|explorer)\.exe$")
      OR match(Image, "(?i)\\\\(Program Files|Program Files \(x86\)|Windows\\System32|Windows\\SysWOW64)\\\\")
    ),
    1, 0
  )
| eval is_audio_file_staged=if(
    EventCode=11 AND (
      match(TargetFilename, "(?i)\.(wav|mp3|wma|ogg|flac|aac|m4a|raw)$")
    ) AND (
      match(TargetFilename, "(?i)(\\AppData\\Local\\Temp\\|\\AppData\\Roaming\\|\\Users\\Public\\|\\ProgramData\\|\\Windows\\Temp\\|\\Windows\\Tasks\\)")
    ) AND NOT (
      match(Image, "(?i)(audiodg|wmplayer|groove|teams|ms-teams|zoom|skype|discord|slack|webex|chrome|msedge|firefox|spotify|vlc|SoundRecorder)\.exe$")
    ),
    1, 0
  )
| eval is_audio_tool=if(
    EventCode=1 AND (
      match(CommandLine, "(?i)(Get-MicrophoneAudio|WaveInEvent|WaveFileWriter|NAudio|mciSendString|waveInOpen|AudioCapture|MicCapture|-f dshow|audio=|avfoundation|WindowsAudioDevice|CoreAudio|AVAudioRecorder)")
    ),
    1, 0
  )
| where is_audio_dll_load=1 OR is_audio_file_staged=1 OR is_audio_tool=1
| eval DetectionType=case(
    is_audio_tool=1, "AudioCaptureToolUsage",
    is_audio_file_staged=1, "AudioFileStagedInSuspiciousPath",
    is_audio_dll_load=1, "SuspiciousAudioDllLoad",
    true(), "Unknown"
  )
| eval ProcessName=coalesce(Image, "unknown")
| eval AffectedFile=coalesce(TargetFilename, ImageLoaded, "")
| table _time, host, User, DetectionType, ProcessName, CommandLine, AffectedFile
| sort - _time

high severity medium confidence

Data Sources

Module: Module Load File: File Creation Process: Process Creation Command: Command Execution Sysmon Event ID 1 Sysmon Event ID 7 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate audio/video conferencing software loading audio DLLs from non-standard paths during first run or update
Media production or podcast software (Audacity, OBS, Adobe Audition) saving audio to AppData or ProgramData as a default output path
Voice recognition or accessibility software continuously loading audio APIs (Dragon, Windows Speech Recognition, Cortana)
Game audio SDKs (FMOD, Wwise) loaded by game client processes that are not in the allowlist
Security research or red team tooling running Get-MicrophoneAudio or atomic test scripts in authorized testing environments

Elastic Security (EQL)

eql

any where
  (
    event.category == "library" and
    dll.name in~ ("winmm.dll", "audioses.dll", "avrt.dll", "dsound.dll", "mfplat.dll") and
    not process.name in~ ("audiodg.exe", "svchost.exe", "wmplayer.exe", "groove.exe", "teams.exe", "ms-teams.exe", "zoom.exe", "zoomwebviewhost.exe", "skype.exe", "skypehost.exe", "discord.exe", "slack.exe", "webex.exe", "chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "spotify.exe", "vlc.exe", "mpv.exe", "SoundRecorder.exe", "RuntimeBroker.exe", "ShellExperienceHost.exe", "explorer.exe") and
    not process.executable : ("*\\Program Files\\*", "*\\Program Files (x86)\\*", "*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")
  ) or
  (
    event.category == "file" and
    event.action == "creation" and
    file.extension in~ ("wav", "mp3", "wma", "ogg", "flac", "aac", "m4a", "raw") and
    (
      file.path : "*\\AppData\\Local\\Temp\\*" or
      file.path : "*\\AppData\\Roaming\\*" or
      file.path : "*\\Users\\Public\\*" or
      file.path : "*\\ProgramData\\*" or
      file.path : "*\\Windows\\Temp\\*" or
      file.path : "*\\Windows\\Tasks\\*" or
      file.path : "*\\Recycle*"
    ) and
    not process.name in~ ("audiodg.exe", "wmplayer.exe", "groove.exe", "teams.exe", "ms-teams.exe", "zoom.exe", "skype.exe", "discord.exe", "slack.exe", "webex.exe", "chrome.exe", "msedge.exe", "firefox.exe", "spotify.exe", "vlc.exe", "SoundRecorder.exe")
  ) or
  (
    event.category == "process" and
    event.type == "start" and
    process.command_line : ("*Get-MicrophoneAudio*", "*WaveInEvent*", "*WaveFileWriter*", "*NAudio*", "*mciSendString*", "*waveInOpen*", "*AudioCapture*", "*MicCapture*", "*-f dshow*", "*audio=*", "*avfoundation*", "*WindowsAudioDevice*", "*CoreAudio*", "*AVAudioRecorder*")
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security Windows Sysmon via Filebeat Elastic Agent (Endpoint integration)

Required Tables

logs-endpoint.events.library-* logs-endpoint.events.file-* logs-endpoint.events.process-* logs-system.system-*

False Positives

Legitimate audio recording or editing software (Audacity, Adobe Audition, OBS Studio) loading winmm.dll or mfplat.dll from non-standard install paths such as user profile directories
Developer tools building or testing audio applications (e.g., compiling NAudio-based projects) generating audio output files in %TEMP% as part of unit tests
Screen recording or video conferencing software installed in per-user locations (not Program Files) that loads audio DLLs and writes temporary audio buffers to AppData paths
Game launchers or mod tools that hook audio APIs for equalizer or voice-changer features and operate from non-standard directories
System imaging or backup tools that capture WAV/MP3 audio alerts or notification sounds to staging directories during backup operations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip,
  username,
  QIDNAME(qid) AS EventName,
  "ImageLoaded",
  "Image",
  "CommandLine",
  "TargetFilename",
  CASE
    WHEN "CommandLine" ILIKE '%Get-MicrophoneAudio%'
      OR "CommandLine" ILIKE '%WaveInEvent%'
      OR "CommandLine" ILIKE '%waveInOpen%'
      OR "CommandLine" ILIKE '%AudioCapture%'
      OR "CommandLine" ILIKE '%-f dshow%'
      OR "CommandLine" ILIKE '%avfoundation%'
      OR "CommandLine" ILIKE '%CoreAudio%'
      OR "CommandLine" ILIKE '%AVAudioRecorder%' THEN 'AudioCaptureToolUsage'
    WHEN ("TargetFilename" ILIKE '%.wav'
      OR "TargetFilename" ILIKE '%.mp3'
      OR "TargetFilename" ILIKE '%.wma'
      OR "TargetFilename" ILIKE '%.ogg'
      OR "TargetFilename" ILIKE '%.flac'
      OR "TargetFilename" ILIKE '%.aac'
      OR "TargetFilename" ILIKE '%.m4a'
      OR "TargetFilename" ILIKE '%.raw') THEN 'AudioFileStagedInSuspiciousPath'
    ELSE 'SuspiciousAudioDllLoad'
  END AS DetectionType
FROM events
WHERE LOGSOURCETYPEID = 28
  AND (
    (
      QIDNAME(qid) ILIKE '%Image Loaded%'
      AND (
        "ImageLoaded" ILIKE '%\winmm.dll'
        OR "ImageLoaded" ILIKE '%\audioses.dll'
        OR "ImageLoaded" ILIKE '%\avrt.dll'
        OR "ImageLoaded" ILIKE '%\dsound.dll'
        OR "ImageLoaded" ILIKE '%\mfplat.dll'
      )
      AND NOT (
        "Image" ILIKE '%audiodg.exe'
        OR "Image" ILIKE '%svchost.exe'
        OR "Image" ILIKE '%wmplayer.exe'
        OR "Image" ILIKE '%groove.exe'
        OR "Image" ILIKE '%teams.exe'
        OR "Image" ILIKE '%ms-teams.exe'
        OR "Image" ILIKE '%zoom.exe'
        OR "Image" ILIKE '%skype.exe'
        OR "Image" ILIKE '%discord.exe'
        OR "Image" ILIKE '%slack.exe'
        OR "Image" ILIKE '%webex.exe'
        OR "Image" ILIKE '%chrome.exe'
        OR "Image" ILIKE '%msedge.exe'
        OR "Image" ILIKE '%firefox.exe'
        OR "Image" ILIKE '%spotify.exe'
        OR "Image" ILIKE '%vlc.exe'
        OR "Image" ILIKE '%RuntimeBroker.exe'
        OR "Image" ILIKE '%explorer.exe'
        OR "Image" ILIKE '%Program Files%'
        OR "Image" ILIKE '%Windows\System32%'
        OR "Image" ILIKE '%Windows\SysWOW64%'
      )
    )
    OR (
      QIDNAME(qid) ILIKE '%File Created%'
      AND (
        "TargetFilename" ILIKE '%.wav'
        OR "TargetFilename" ILIKE '%.mp3'
        OR "TargetFilename" ILIKE '%.wma'
        OR "TargetFilename" ILIKE '%.ogg'
        OR "TargetFilename" ILIKE '%.flac'
        OR "TargetFilename" ILIKE '%.aac'
        OR "TargetFilename" ILIKE '%.m4a'
        OR "TargetFilename" ILIKE '%.raw'
      )
      AND (
        "TargetFilename" ILIKE '%AppData%Temp%'
        OR "TargetFilename" ILIKE '%AppData%Roaming%'
        OR "TargetFilename" ILIKE '%Users%Public%'
        OR "TargetFilename" ILIKE '%ProgramData%'
        OR "TargetFilename" ILIKE '%Windows%Temp%'
        OR "TargetFilename" ILIKE '%Windows%Tasks%'
        OR "TargetFilename" ILIKE '%Recycle%'
      )
      AND NOT (
        "Image" ILIKE '%audiodg.exe'
        OR "Image" ILIKE '%wmplayer.exe'
        OR "Image" ILIKE '%teams.exe'
        OR "Image" ILIKE '%zoom.exe'
        OR "Image" ILIKE '%discord.exe'
        OR "Image" ILIKE '%spotify.exe'
        OR "Image" ILIKE '%vlc.exe'
        OR "Image" ILIKE '%SoundRecorder.exe'
      )
    )
    OR (
      QIDNAME(qid) ILIKE '%Process Create%'
      AND (
        "CommandLine" ILIKE '%Get-MicrophoneAudio%'
        OR "CommandLine" ILIKE '%WaveInEvent%'
        OR "CommandLine" ILIKE '%WaveFileWriter%'
        OR "CommandLine" ILIKE '%NAudio%'
        OR "CommandLine" ILIKE '%mciSendString%'
        OR "CommandLine" ILIKE '%waveInOpen%'
        OR "CommandLine" ILIKE '%AudioCapture%'
        OR "CommandLine" ILIKE '%MicCapture%'
        OR "CommandLine" ILIKE '%-f dshow%'
        OR "CommandLine" ILIKE '%audio=%'
        OR "CommandLine" ILIKE '%avfoundation%'
        OR "CommandLine" ILIKE '%WindowsAudioDevice%'
        OR "CommandLine" ILIKE '%CoreAudio%'
        OR "CommandLine" ILIKE '%AVAudioRecorder%'
      )
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Sysmon via QRadar Windows Agent

Required Tables

events

False Positives

Custom enterprise audio conferencing or accessibility software installed outside Program Files that loads winmm.dll and writes temp audio buffers to AppData paths
Automated QA or test harness processes that exercise audio APIs and output test recordings to Windows Temp directories as part of regression test suites
Music production or podcast editing software (e.g., Reaper, Audacity portable editions) running from user-writable paths that load audio DLLs during startup
IT monitoring agents that record ambient noise levels or audio quality metrics and stage files prior to upload

Sumo Logic CSE

sql

_sourceCategory="WinEventLog/Sysmon"
| where EventCode in ("1", "7", "11")
| parse field=_raw "<Data Name='Image'>*</Data>" as Image nodrop
| parse field=_raw "<Data Name='ImageLoaded'>*</Data>" as ImageLoaded nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as User nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as Computer nodrop
// Branch 1: Suspicious audio DLL load (Sysmon Event 7)
| eval is_audio_dll = if(
    EventCode = "7"
    AND (
      matches(ImageLoaded, "(?i)\\\\winmm\.dll$")
      OR matches(ImageLoaded, "(?i)\\\\audioses\.dll$")
      OR matches(ImageLoaded, "(?i)\\\\avrt\.dll$")
      OR matches(ImageLoaded, "(?i)\\\\dsound\.dll$")
      OR matches(ImageLoaded, "(?i)\\\\mfplat\.dll$")
    )
    AND NOT (
      matches(Image, "(?i)(audiodg|svchost|wmplayer|groove|teams|ms-teams|zoom|zoomwebviewhost|skype|skypehost|discord|slack|webex|chrome|msedge|firefox|iexplore|opera|spotify|vlc|mpv|SoundRecorder|RuntimeBroker|ShellExperienceHost|SearchHost|SystemSettings|explorer)\.exe$")
      OR matches(Image, "(?i)\\\\(Program Files|Program Files \\(x86\\)|Windows\\\\System32|Windows\\\\SysWOW64)\\\\")
    ),
    1, 0
  )
// Branch 2: Audio file staged in suspicious path (Sysmon Event 11)
| eval is_audio_staged = if(
    EventCode = "11"
    AND matches(TargetFilename, "(?i)\\.(wav|mp3|wma|ogg|flac|aac|m4a|raw)$")
    AND (
      matches(TargetFilename, "(?i)AppData\\\\Local\\\\Temp")
      OR matches(TargetFilename, "(?i)AppData\\\\Roaming")
      OR matches(TargetFilename, "(?i)Users\\\\Public")
      OR matches(TargetFilename, "(?i)ProgramData")
      OR matches(TargetFilename, "(?i)Windows\\\\Temp")
      OR matches(TargetFilename, "(?i)Windows\\\\Tasks")
      OR matches(TargetFilename, "(?i)Recycle")
    )
    AND NOT (
      matches(Image, "(?i)(audiodg|wmplayer|groove|teams|ms-teams|zoom|skype|discord|slack|webex|chrome|msedge|firefox|spotify|vlc|SoundRecorder)\.exe$")
    ),
    1, 0
  )
// Branch 3: Audio capture tool keyword in command line (Sysmon Event 1)
| eval is_audio_tool = if(
    EventCode = "1"
    AND (
      matches(CommandLine, "(?i)(Get-MicrophoneAudio|WaveInEvent|WaveFileWriter|NAudio|mciSendString|waveInOpen|AudioCapture|MicCapture|-f dshow|audio=|avfoundation|WindowsAudioDevice|CoreAudio|AVAudioRecorder)")
    ),
    1, 0
  )
| where is_audio_dll = 1 OR is_audio_staged = 1 OR is_audio_tool = 1
| eval DetectionType = if(is_audio_tool = 1, "AudioCaptureToolUsage",
    if(is_audio_staged = 1, "AudioFileStagedInSuspiciousPath", "SuspiciousAudioDllLoad"))
| eval AffectedArtifact = if(EventCode = "7", ImageLoaded,
    if(EventCode = "11", TargetFilename, ""))
| fields _messageTime, Computer, User, DetectionType, Image, CommandLine, AffectedArtifact
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows) Microsoft Sysmon Operational Event Log

Required Tables

WinEventLog/Sysmon

False Positives

Portable or per-user installed audio software (e.g., Audacity portable, ffmpeg scripts) launched from AppData directories that loads audio DLLs and writes output files to Temp
Voice-enabled helpdesk or call-center software that records and temporarily buffers agent calls in ProgramData staging directories before upload to a CRM
Automated voice response testing frameworks that exercise waveInOpen and mciSendString APIs to validate audio hardware in CI pipelines
Accessibility tools such as screen readers or dictation utilities (not on the allowlist) that load audio DLLs and produce audio output files during operation

Google Chronicle / SecOps

yaral

rule t1123_audio_capture {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1123 Audio Capture via suspicious audio DLL loads, audio file staging in malware-typical paths, or use of known audio capture APIs and tools."
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1123"
    mitre_attack_technique_id = "T1123"
    reference = "https://attack.mitre.org/techniques/T1123/"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    (
      // Branch 1: Suspicious audio DLL load by non-whitelisted process
      $e.metadata.event_type = "PROCESS_MODULE_LOAD" and
      (
        $e.target.file.full_path = /(?i)(\\|\/)winmm\.dll$/ or
        $e.target.file.full_path = /(?i)(\\|\/)audioses\.dll$/ or
        $e.target.file.full_path = /(?i)(\\|\/)avrt\.dll$/ or
        $e.target.file.full_path = /(?i)(\\|\/)dsound\.dll$/ or
        $e.target.file.full_path = /(?i)(\\|\/)mfplat\.dll$/
      ) and
      not $e.principal.process.file.full_path = /(?i)(audiodg|svchost|wmplayer|groove|teams|ms-teams|zoom|zoomwebviewhost|skype|skypehost|skypebridge|discord|slack|webex|chrome|msedge|firefox|iexplore|opera|spotify|vlc|mpv|SoundRecorder|RuntimeBroker|ShellExperienceHost|SearchHost|SystemSettings|explorer)\.exe$/ and
      not $e.principal.process.file.full_path = /(?i)\\(Program Files|Program Files \(x86\)|Windows\\System32|Windows\\SysWOW64)\\/
    ) or
    (
      // Branch 2: Audio file written to suspicious staging directory
      $e.metadata.event_type = "FILE_CREATION" and
      $e.target.file.full_path = /(?i)\.(wav|mp3|wma|ogg|flac|aac|m4a|raw)$/ and
      (
        $e.target.file.full_path = /(?i)\\AppData\\Local\\Temp\\/ or
        $e.target.file.full_path = /(?i)\\AppData\\Roaming\\/ or
        $e.target.file.full_path = /(?i)\\Users\\Public\\/ or
        $e.target.file.full_path = /(?i)\\ProgramData\\/ or
        $e.target.file.full_path = /(?i)\\Windows\\Temp\\/ or
        $e.target.file.full_path = /(?i)\\Windows\\Tasks\\/ or
        $e.target.file.full_path = /(?i)\\Recycle/
      ) and
      not $e.principal.process.file.full_path = /(?i)(audiodg|wmplayer|groove|teams|ms-teams|zoom|skype|discord|slack|webex|chrome|msedge|firefox|spotify|vlc|SoundRecorder)\.exe$/
    ) or
    (
      // Branch 3: Process launched with audio capture tool or API keywords
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      $e.target.process.command_line = /(?i)(Get-MicrophoneAudio|WaveInEvent|WaveFileWriter|NAudio|mciSendString|waveInOpen|AudioCapture|MicCapture|-f dshow|audio=|avfoundation|WindowsAudioDevice|CoreAudio|AVAudioRecorder)/
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows Sysmon via Chronicle forwarder CrowdStrike Falcon via Chronicle integration

Required Tables

UDM events (PROCESS_MODULE_LOAD, FILE_CREATION, PROCESS_LAUNCH)

False Positives

Third-party audio drivers or DAW (Digital Audio Workstation) software installed in non-standard locations that load avrt.dll and dsound.dll and write session audio to AppData
Video game titles that use DirectSound (dsound.dll) for spatial audio and run from user-writable locations such as Steam's userdata directory
Enterprise telephony clients (not in the allowlist) that use Windows Media Foundation (mfplat.dll) for codec handling and temporarily buffer call recordings in ProgramData
Security testing tools or red team assessments using PowerSploit or NAudio as part of authorized penetration testing engagements

CrowdStrike LogScale (CQL)

cql

// T1123 Audio Capture - CrowdStrike Falcon LogScale (CQL)
// Detect audio DLL loads, staged audio files, and audio capture tool usage

#event_simpleName = /^(ClassifiedModuleLoad|PeFileWritten|ProcessRollup2)$/

| case {
    // Branch 1: Suspicious audio DLL loaded by non-whitelisted process
    #event_simpleName = "ClassifiedModuleLoad"
    | regex("(?i)(\\\\|\/)winmm\.dll$|audioses\.dll$|avrt\.dll$|dsound\.dll$|mfplat\.dll$", field=ModulePath, strict=false)
    | !regex("(?i)(audiodg|svchost|wmplayer|groove|teams|ms-teams|zoom|zoomwebviewhost|skype|skypehost|discord|slack|webex|chrome|msedge|firefox|iexplore|opera|spotify|vlc|mpv|SoundRecorder|RuntimeBroker|ShellExperienceHost|explorer)\.exe$", field=ImageFileName)
    | !regex("(?i)\\\\(Program Files|Program Files \\(x86\\)|Windows\\\\System32|Windows\\\\SysWOW64)\\\\", field=ImageFileName)
    | DetectionType := "SuspiciousAudioDllLoad"
    | AffectedArtifact := ModulePath ;

    // Branch 2: Audio file written to suspicious staging directory
    #event_simpleName = "PeFileWritten"
    | regex("(?i)\\.(wav|mp3|wma|ogg|flac|aac|m4a|raw)$", field=TargetFileName, strict=false)
    | regex("(?i)(AppData.+Temp|AppData.+Roaming|Users.+Public|ProgramData|Windows.+Temp|Windows.+Tasks|Recycle)", field=TargetFileName, strict=false)
    | !regex("(?i)(audiodg|wmplayer|groove|teams|ms-teams|zoom|skype|discord|slack|webex|chrome|msedge|firefox|spotify|vlc|SoundRecorder)\.exe$", field=ImageFileName)
    | DetectionType := "AudioFileStagedInSuspiciousPath"
    | AffectedArtifact := TargetFileName ;

    // Branch 3: Process launched with audio capture tool or API keywords
    #event_simpleName = "ProcessRollup2"
    | regex("(?i)(Get-MicrophoneAudio|WaveInEvent|WaveFileWriter|NAudio|mciSendString|waveInOpen|AudioCapture|MicCapture|-f dshow|audio=|avfoundation|WindowsAudioDevice|CoreAudio|AVAudioRecorder)", field=CommandLine, strict=false)
    | DetectionType := "AudioCaptureToolUsage"
    | AffectedArtifact := CommandLine ;

    // Drop unmatched events
    * | drop([])
  }

| table([timestamp, ComputerName, UserName, DetectionType, ImageFileName, CommandLine, AffectedArtifact, ModulePath])
| sort(timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Insight XDR

Required Tables

ClassifiedModuleLoad PeFileWritten ProcessRollup2

False Positives

Legitimate media creation tools (OBS Studio, Streamlabs, XSplit) installed outside Program Files in per-user directories that load dsound.dll or mfplat.dll during startup
Game anti-cheat or overlay software that hooks DirectSound (dsound.dll) to enforce audio policy and runs from non-standard paths under a game title's directory
Automated voice quality monitoring agents used by enterprise call centers that record sample audio to ProgramData or Windows Temp as part of diagnostics workflows
Red team or penetration testing engagements using PowerSploit's Get-MicrophoneAudio or ffmpeg with dshow input on hosts explicitly included in an authorized testing scope

Last updated: 2026-04-19 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1123 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Audio Capture

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Collection

Popular Detections