T1123 IBM QRadar · QRadar

Detect Audio Capture in IBM QRadar

Adversaries may leverage a computer's peripheral devices (e.g., microphones) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations. Malware or scripts interact with audio devices through OS APIs or application APIs to capture and record audio. Recorded files may be written to disk in staging directories and subsequently exfiltrated. Known malware families using this technique include Flame, ROKRAT, Bandook, VERMIN, TajMahal, Pupy, EvilGrab, LightSpy, Cadelspy, NanoCore, Crimson, MacMa, T9000, and Machete. PowerSploit's Get-MicrophoneAudio module provides an open-source implementation commonly repurposed by attackers.

MITRE ATT&CK

Tactic
Collection
Technique
T1123 Audio Capture
Canonical reference
https://attack.mitre.org/techniques/T1123/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip,
  username,
  QIDNAME(qid) AS EventName,
  "ImageLoaded",
  "Image",
  "CommandLine",
  "TargetFilename",
  CASE
    WHEN "CommandLine" ILIKE '%Get-MicrophoneAudio%'
      OR "CommandLine" ILIKE '%WaveInEvent%'
      OR "CommandLine" ILIKE '%waveInOpen%'
      OR "CommandLine" ILIKE '%AudioCapture%'
      OR "CommandLine" ILIKE '%-f dshow%'
      OR "CommandLine" ILIKE '%avfoundation%'
      OR "CommandLine" ILIKE '%CoreAudio%'
      OR "CommandLine" ILIKE '%AVAudioRecorder%' THEN 'AudioCaptureToolUsage'
    WHEN ("TargetFilename" ILIKE '%.wav'
      OR "TargetFilename" ILIKE '%.mp3'
      OR "TargetFilename" ILIKE '%.wma'
      OR "TargetFilename" ILIKE '%.ogg'
      OR "TargetFilename" ILIKE '%.flac'
      OR "TargetFilename" ILIKE '%.aac'
      OR "TargetFilename" ILIKE '%.m4a'
      OR "TargetFilename" ILIKE '%.raw') THEN 'AudioFileStagedInSuspiciousPath'
    ELSE 'SuspiciousAudioDllLoad'
  END AS DetectionType
FROM events
WHERE LOGSOURCETYPEID = 28
  AND (
    (
      QIDNAME(qid) ILIKE '%Image Loaded%'
      AND (
        "ImageLoaded" ILIKE '%\winmm.dll'
        OR "ImageLoaded" ILIKE '%\audioses.dll'
        OR "ImageLoaded" ILIKE '%\avrt.dll'
        OR "ImageLoaded" ILIKE '%\dsound.dll'
        OR "ImageLoaded" ILIKE '%\mfplat.dll'
      )
      AND NOT (
        "Image" ILIKE '%audiodg.exe'
        OR "Image" ILIKE '%svchost.exe'
        OR "Image" ILIKE '%wmplayer.exe'
        OR "Image" ILIKE '%groove.exe'
        OR "Image" ILIKE '%teams.exe'
        OR "Image" ILIKE '%ms-teams.exe'
        OR "Image" ILIKE '%zoom.exe'
        OR "Image" ILIKE '%skype.exe'
        OR "Image" ILIKE '%discord.exe'
        OR "Image" ILIKE '%slack.exe'
        OR "Image" ILIKE '%webex.exe'
        OR "Image" ILIKE '%chrome.exe'
        OR "Image" ILIKE '%msedge.exe'
        OR "Image" ILIKE '%firefox.exe'
        OR "Image" ILIKE '%spotify.exe'
        OR "Image" ILIKE '%vlc.exe'
        OR "Image" ILIKE '%RuntimeBroker.exe'
        OR "Image" ILIKE '%explorer.exe'
        OR "Image" ILIKE '%Program Files%'
        OR "Image" ILIKE '%Windows\System32%'
        OR "Image" ILIKE '%Windows\SysWOW64%'
      )
    )
    OR (
      QIDNAME(qid) ILIKE '%File Created%'
      AND (
        "TargetFilename" ILIKE '%.wav'
        OR "TargetFilename" ILIKE '%.mp3'
        OR "TargetFilename" ILIKE '%.wma'
        OR "TargetFilename" ILIKE '%.ogg'
        OR "TargetFilename" ILIKE '%.flac'
        OR "TargetFilename" ILIKE '%.aac'
        OR "TargetFilename" ILIKE '%.m4a'
        OR "TargetFilename" ILIKE '%.raw'
      )
      AND (
        "TargetFilename" ILIKE '%AppData%Temp%'
        OR "TargetFilename" ILIKE '%AppData%Roaming%'
        OR "TargetFilename" ILIKE '%Users%Public%'
        OR "TargetFilename" ILIKE '%ProgramData%'
        OR "TargetFilename" ILIKE '%Windows%Temp%'
        OR "TargetFilename" ILIKE '%Windows%Tasks%'
        OR "TargetFilename" ILIKE '%Recycle%'
      )
      AND NOT (
        "Image" ILIKE '%audiodg.exe'
        OR "Image" ILIKE '%wmplayer.exe'
        OR "Image" ILIKE '%teams.exe'
        OR "Image" ILIKE '%zoom.exe'
        OR "Image" ILIKE '%discord.exe'
        OR "Image" ILIKE '%spotify.exe'
        OR "Image" ILIKE '%vlc.exe'
        OR "Image" ILIKE '%SoundRecorder.exe'
      )
    )
    OR (
      QIDNAME(qid) ILIKE '%Process Create%'
      AND (
        "CommandLine" ILIKE '%Get-MicrophoneAudio%'
        OR "CommandLine" ILIKE '%WaveInEvent%'
        OR "CommandLine" ILIKE '%WaveFileWriter%'
        OR "CommandLine" ILIKE '%NAudio%'
        OR "CommandLine" ILIKE '%mciSendString%'
        OR "CommandLine" ILIKE '%waveInOpen%'
        OR "CommandLine" ILIKE '%AudioCapture%'
        OR "CommandLine" ILIKE '%MicCapture%'
        OR "CommandLine" ILIKE '%-f dshow%'
        OR "CommandLine" ILIKE '%audio=%'
        OR "CommandLine" ILIKE '%avfoundation%'
        OR "CommandLine" ILIKE '%WindowsAudioDevice%'
        OR "CommandLine" ILIKE '%CoreAudio%'
        OR "CommandLine" ILIKE '%AVAudioRecorder%'
      )
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC
high severity medium confidence

QRadar AQL query targeting Sysmon events (LOGSOURCETYPEID=28) to detect audio capture via three sub-techniques: suspicious DLL loads of audio subsystem libraries by non-whitelisted processes (Sysmon EventID 7), audio-format files written to known malware staging directories (Sysmon EventID 11), and process executions containing audio capture API strings or tooling keywords in their command line (Sysmon EventID 1).

Data Sources

IBM QRadar SIEMMicrosoft Sysmon via QRadar Windows Agent

Required Tables

events

False Positives & Tuning

  • Custom enterprise audio conferencing or accessibility software installed outside Program Files that loads winmm.dll and writes temp audio buffers to AppData paths
  • Automated QA or test harness processes that exercise audio APIs and output test recordings to Windows Temp directories as part of regression test suites
  • Music production or podcast editing software (e.g., Reaper, Audacity portable editions) running from user-writable paths that load audio DLLs during startup
  • IT monitoring agents that record ambient noise levels or audio quality metrics and stage files prior to upload
Download portable Sigma rule (.yml)

Other platforms for T1123

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerSploit Get-MicrophoneAudio — 5 Second Capture

    Expected signal: Sysmon Event ID 1: PowerShell process creation with Get-MicrophoneAudio and IEX in command line. Sysmon Event ID 7: winmm.dll or audioses.dll loaded by powershell.exe. Sysmon Event ID 11: df00tech-audio-test.wav created in %TEMP%. Sysmon Event ID 3: outbound network connection to raw.githubusercontent.com. PowerShell ScriptBlock Log Event ID 4104 with full script content including Get-MicrophoneAudio function body.

  2. Test 2FFmpeg DirectShow Audio Capture — Windows

    Expected signal: Sysmon Event ID 1: ffmpeg.exe process creation with '-f dshow' and 'audio=' in command line. Sysmon Event ID 7: winmm.dll and avrt.dll loaded by ffmpeg.exe (if not in Program Files). Sysmon Event ID 11: df00tech-capture.wav created in C:\ProgramData\. The command line '-f dshow' combined with audio= string is a specific IoC for FFmpeg audio capture.

  3. Test 3Windows mciSendString Audio Capture via PowerShell Add-Type

    Expected signal: Sysmon Event ID 1: PowerShell process creation with mciSendString keyword in command line. Sysmon Event ID 7: winmm.dll loaded by powershell.exe (DllImport of winmm.dll triggers the load). Sysmon Event ID 11: df00tech-mci.wav created in %APPDATA%. PowerShell ScriptBlock Log Event ID 4104 with full P/Invoke code including mciSendString string.

  4. Test 4Linux arecord ALSA Microphone Capture

    Expected signal: Linux auditd EXECVE record: arecord process creation with '-d 10' and '/tmp/df00tech-audio-test.wav' arguments. Linux auditd OPEN/CREATE syscall records for /tmp/df00tech-audio-test.wav. Syslog entry from auditd showing arecord execution. If using Sysmon for Linux: Sysmon Event ID 1 (Process Create) with Image=/usr/bin/arecord.

Last updated: 2026-04-19 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1123 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1113Screen CaptureT1056.001KeyloggingT1125Video CaptureT1041Exfiltration Over C2 ChannelT1560.001Archive via UtilityT1074.001Local Data StagingT1071.001Web ProtocolsT1105Ingress Tool TransferT1059.001PowerShellT1053.005Scheduled Task

Same Tactic: Collection

Popular Detections