Detect Audio Capture in Microsoft Sentinel
Adversaries may leverage a computer's peripheral devices (e.g., microphones) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations. Malware or scripts interact with audio devices through OS APIs or application APIs to capture and record audio. Recorded files may be written to disk in staging directories and subsequently exfiltrated. Known malware families using this technique include Flame, ROKRAT, Bandook, VERMIN, TajMahal, Pupy, EvilGrab, LightSpy, Cadelspy, NanoCore, Crimson, MacMa, T9000, and Machete. PowerSploit's Get-MicrophoneAudio module provides an open-source implementation commonly repurposed by attackers.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1123 Audio Capture
- Canonical reference
- https://attack.mitre.org/techniques/T1123/
KQL Detection Query
let AudioCaptureDlls = dynamic(["winmm.dll", "audioses.dll", "avrt.dll", "dsound.dll", "mfplat.dll"]);
let LegitAudioProcesses = dynamic([
"audiodg.exe", "svchost.exe", "wmplayer.exe", "groove.exe", "msiexec.exe",
"teams.exe", "ms-teams.exe", "zoom.exe", "zoomwebviewhost.exe",
"skype.exe", "skypehost.exe", "skypebridge.exe",
"discord.exe", "slack.exe", "webex.exe",
"chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe",
"spotify.exe", "vlc.exe", "mpv.exe", "SoundRecorder.exe",
"RuntimeBroker.exe", "ShellExperienceHost.exe", "SearchHost.exe",
"SystemSettings.exe", "explorer.exe"
]);
let AudioExtensions = dynamic([".wav", ".mp3", ".wma", ".ogg", ".flac", ".aac", ".m4a", ".raw"]);
let SuspiciousStagingPaths = dynamic([
"\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\Intel\\",
"\\AppData\\Roaming\\Microsoft\\Windows\\",
"\\Users\\Public\\", "\\ProgramData\\", "\\Windows\\Temp\\",
"\\Windows\\Tasks\\", "\\Recycle"
]);
union
(
DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName in~ (AudioCaptureDlls)
| where not (InitiatingProcessFileName in~ (LegitAudioProcesses))
| where not (InitiatingProcessFolderPath has_any ("\\Program Files\\", "\\Program Files (x86)\\", "\\Windows\\System32\\", "\\Windows\\SysWOW64\\"))
| extend DetectionType = "SuspiciousAudioDllLoad"
| extend Detail = strcat("Process loaded audio DLL: ", FileName)
| project Timestamp, DeviceName, AccountName, DetectionType, Detail,
ProcessName = InitiatingProcessFileName,
CommandLine = InitiatingProcessCommandLine,
ProcessPath = InitiatingProcessFolderPath
),
(
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName has_any (AudioExtensions)
| where FolderPath has_any (SuspiciousStagingPaths)
| where not (InitiatingProcessFileName in~ (LegitAudioProcesses))
| extend DetectionType = "AudioFileStagedInSuspiciousPath"
| extend Detail = strcat("Audio file created: ", FolderPath)
| project Timestamp, DeviceName, AccountName, DetectionType, Detail,
ProcessName = InitiatingProcessFileName,
CommandLine = InitiatingProcessCommandLine,
ProcessPath = InitiatingProcessFolderPath
),
(
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
"Get-MicrophoneAudio", "WaveInEvent", "WaveFileWriter", "NAudio",
"mciSendString", "waveInOpen", "AudioCapture", "MicCapture",
"dshow\", \"audio=", "-f dshow", "avfoundation",
"WindowsAudioDevice", "CoreAudio", "AVAudioRecorder"
)
| extend DetectionType = "AudioCaptureToolUsage"
| extend Detail = strcat("Audio capture keyword in command line: ", ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, DetectionType, Detail,
ProcessName = FileName,
CommandLine = ProcessCommandLine,
ProcessPath = FolderPath
)
| sort by Timestamp descDetects audio capture activity across three signal types: (1) suspicious processes loading Windows audio API DLLs (winmm.dll, audioses.dll, avrt.dll, dsound.dll) that are not known legitimate audio consumers; (2) audio files with common recording extensions (.wav, .mp3, .wma etc.) created in staging paths such as AppData, ProgramData, or Windows\Temp by non-audio processes; (3) process command lines referencing known audio capture functions or frameworks including PowerSploit's Get-MicrophoneAudio, NAudio WaveInEvent, mciSendString Win32 API, FFmpeg dshow audio capture, or macOS AVFoundation/CoreAudio. Unions all three into a single result set for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate audio/video conferencing software (Teams, Zoom, Webex, Discord) loading audio DLLs from non-standard install paths or as part of update processes
- Media production software (Audacity, Adobe Audition, OBS, DAWs) creating audio files in user-defined output directories that overlap with staging path heuristics
- Voice recognition software (Dragon NaturallySpeaking, Windows Cortana/Speech services) continuously accessing audio APIs in the background
- Game software or streaming tools (OBS, XSplit) that capture system audio via DirectSound or WASAPI for game capture
- Podcast or screencasting tools recording audio to AppData as their default output path
- Security testing or red team exercises using PowerSploit or atomic-red-team audio test scripts
Other platforms for T1123
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerSploit Get-MicrophoneAudio — 5 Second Capture
Expected signal: Sysmon Event ID 1: PowerShell process creation with Get-MicrophoneAudio and IEX in command line. Sysmon Event ID 7: winmm.dll or audioses.dll loaded by powershell.exe. Sysmon Event ID 11: df00tech-audio-test.wav created in %TEMP%. Sysmon Event ID 3: outbound network connection to raw.githubusercontent.com. PowerShell ScriptBlock Log Event ID 4104 with full script content including Get-MicrophoneAudio function body.
- Test 2FFmpeg DirectShow Audio Capture — Windows
Expected signal: Sysmon Event ID 1: ffmpeg.exe process creation with '-f dshow' and 'audio=' in command line. Sysmon Event ID 7: winmm.dll and avrt.dll loaded by ffmpeg.exe (if not in Program Files). Sysmon Event ID 11: df00tech-capture.wav created in C:\ProgramData\. The command line '-f dshow' combined with audio= string is a specific IoC for FFmpeg audio capture.
- Test 3Windows mciSendString Audio Capture via PowerShell Add-Type
Expected signal: Sysmon Event ID 1: PowerShell process creation with mciSendString keyword in command line. Sysmon Event ID 7: winmm.dll loaded by powershell.exe (DllImport of winmm.dll triggers the load). Sysmon Event ID 11: df00tech-mci.wav created in %APPDATA%. PowerShell ScriptBlock Log Event ID 4104 with full P/Invoke code including mciSendString string.
- Test 4Linux arecord ALSA Microphone Capture
Expected signal: Linux auditd EXECVE record: arecord process creation with '-d 10' and '/tmp/df00tech-audio-test.wav' arguments. Linux auditd OPEN/CREATE syscall records for /tmp/df00tech-audio-test.wav. Syslog entry from auditd showing arecord execution. If using Sysmon for Linux: Sysmon Event ID 1 (Process Create) with Image=/usr/bin/arecord.
References (11)
- https://attack.mitre.org/techniques/T1123/
- https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf
- https://securelist.com/scarcruft-surveils-north-korean-defectors-and-mps/91101/
- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques.pdf
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
- https://objective-see.org/blog/blog_0x69.html
- https://www.objective-see.com/blog/blog_0x7C.html
- https://www.huntress.com/blog/lightspy-for-macos
- https://learn.microsoft.com/en-us/windows/win32/multimedia/mci-command-strings
- https://learn.microsoft.com/en-us/windows/win32/coreaudio/wasapi
Unlock Pro Content
Get the full detection package for T1123 including response playbook, investigation guide, and atomic red team tests.