Detect Audio Capture in Sumo Logic CSE
Adversaries may leverage a computer's peripheral devices (e.g., microphones) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations. Malware or scripts interact with audio devices through OS APIs or application APIs to capture and record audio. Recorded files may be written to disk in staging directories and subsequently exfiltrated. Known malware families using this technique include Flame, ROKRAT, Bandook, VERMIN, TajMahal, Pupy, EvilGrab, LightSpy, Cadelspy, NanoCore, Crimson, MacMa, T9000, and Machete. PowerSploit's Get-MicrophoneAudio module provides an open-source implementation commonly repurposed by attackers.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1123 Audio Capture
- Canonical reference
- https://attack.mitre.org/techniques/T1123/
Sumo Detection Query
_sourceCategory="WinEventLog/Sysmon"
| where EventCode in ("1", "7", "11")
| parse field=_raw "<Data Name='Image'>*</Data>" as Image nodrop
| parse field=_raw "<Data Name='ImageLoaded'>*</Data>" as ImageLoaded nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as User nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as Computer nodrop
// Branch 1: Suspicious audio DLL load (Sysmon Event 7)
| eval is_audio_dll = if(
EventCode = "7"
AND (
matches(ImageLoaded, "(?i)\\\\winmm\.dll$")
OR matches(ImageLoaded, "(?i)\\\\audioses\.dll$")
OR matches(ImageLoaded, "(?i)\\\\avrt\.dll$")
OR matches(ImageLoaded, "(?i)\\\\dsound\.dll$")
OR matches(ImageLoaded, "(?i)\\\\mfplat\.dll$")
)
AND NOT (
matches(Image, "(?i)(audiodg|svchost|wmplayer|groove|teams|ms-teams|zoom|zoomwebviewhost|skype|skypehost|discord|slack|webex|chrome|msedge|firefox|iexplore|opera|spotify|vlc|mpv|SoundRecorder|RuntimeBroker|ShellExperienceHost|SearchHost|SystemSettings|explorer)\.exe$")
OR matches(Image, "(?i)\\\\(Program Files|Program Files \\(x86\\)|Windows\\\\System32|Windows\\\\SysWOW64)\\\\")
),
1, 0
)
// Branch 2: Audio file staged in suspicious path (Sysmon Event 11)
| eval is_audio_staged = if(
EventCode = "11"
AND matches(TargetFilename, "(?i)\\.(wav|mp3|wma|ogg|flac|aac|m4a|raw)$")
AND (
matches(TargetFilename, "(?i)AppData\\\\Local\\\\Temp")
OR matches(TargetFilename, "(?i)AppData\\\\Roaming")
OR matches(TargetFilename, "(?i)Users\\\\Public")
OR matches(TargetFilename, "(?i)ProgramData")
OR matches(TargetFilename, "(?i)Windows\\\\Temp")
OR matches(TargetFilename, "(?i)Windows\\\\Tasks")
OR matches(TargetFilename, "(?i)Recycle")
)
AND NOT (
matches(Image, "(?i)(audiodg|wmplayer|groove|teams|ms-teams|zoom|skype|discord|slack|webex|chrome|msedge|firefox|spotify|vlc|SoundRecorder)\.exe$")
),
1, 0
)
// Branch 3: Audio capture tool keyword in command line (Sysmon Event 1)
| eval is_audio_tool = if(
EventCode = "1"
AND (
matches(CommandLine, "(?i)(Get-MicrophoneAudio|WaveInEvent|WaveFileWriter|NAudio|mciSendString|waveInOpen|AudioCapture|MicCapture|-f dshow|audio=|avfoundation|WindowsAudioDevice|CoreAudio|AVAudioRecorder)")
),
1, 0
)
| where is_audio_dll = 1 OR is_audio_staged = 1 OR is_audio_tool = 1
| eval DetectionType = if(is_audio_tool = 1, "AudioCaptureToolUsage",
if(is_audio_staged = 1, "AudioFileStagedInSuspiciousPath", "SuspiciousAudioDllLoad"))
| eval AffectedArtifact = if(EventCode = "7", ImageLoaded,
if(EventCode = "11", TargetFilename, ""))
| fields _messageTime, Computer, User, DetectionType, Image, CommandLine, AffectedArtifact
| sort by _messageTime descSumo Logic query over Sysmon XML event logs detecting audio capture via three detection branches: suspicious audio DLL loads (EventCode 7) by processes outside known legitimate audio applications and standard system paths; audio-format file creation (EventCode 11) in malware staging directories by non-whitelisted processes; and process launches (EventCode 1) containing audio capture API names or tooling strings associated with PowerSploit, NAudio, ffmpeg dshow, and mobile audio frameworks.
Data Sources
Required Tables
False Positives & Tuning
- Portable or per-user installed audio software (e.g., Audacity portable, ffmpeg scripts) launched from AppData directories that loads audio DLLs and writes output files to Temp
- Voice-enabled helpdesk or call-center software that records and temporarily buffers agent calls in ProgramData staging directories before upload to a CRM
- Automated voice response testing frameworks that exercise waveInOpen and mciSendString APIs to validate audio hardware in CI pipelines
- Accessibility tools such as screen readers or dictation utilities (not on the allowlist) that load audio DLLs and produce audio output files during operation
Other platforms for T1123
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerSploit Get-MicrophoneAudio — 5 Second Capture
Expected signal: Sysmon Event ID 1: PowerShell process creation with Get-MicrophoneAudio and IEX in command line. Sysmon Event ID 7: winmm.dll or audioses.dll loaded by powershell.exe. Sysmon Event ID 11: df00tech-audio-test.wav created in %TEMP%. Sysmon Event ID 3: outbound network connection to raw.githubusercontent.com. PowerShell ScriptBlock Log Event ID 4104 with full script content including Get-MicrophoneAudio function body.
- Test 2FFmpeg DirectShow Audio Capture — Windows
Expected signal: Sysmon Event ID 1: ffmpeg.exe process creation with '-f dshow' and 'audio=' in command line. Sysmon Event ID 7: winmm.dll and avrt.dll loaded by ffmpeg.exe (if not in Program Files). Sysmon Event ID 11: df00tech-capture.wav created in C:\ProgramData\. The command line '-f dshow' combined with audio= string is a specific IoC for FFmpeg audio capture.
- Test 3Windows mciSendString Audio Capture via PowerShell Add-Type
Expected signal: Sysmon Event ID 1: PowerShell process creation with mciSendString keyword in command line. Sysmon Event ID 7: winmm.dll loaded by powershell.exe (DllImport of winmm.dll triggers the load). Sysmon Event ID 11: df00tech-mci.wav created in %APPDATA%. PowerShell ScriptBlock Log Event ID 4104 with full P/Invoke code including mciSendString string.
- Test 4Linux arecord ALSA Microphone Capture
Expected signal: Linux auditd EXECVE record: arecord process creation with '-d 10' and '/tmp/df00tech-audio-test.wav' arguments. Linux auditd OPEN/CREATE syscall records for /tmp/df00tech-audio-test.wav. Syslog entry from auditd showing arecord execution. If using Sysmon for Linux: Sysmon Event ID 1 (Process Create) with Image=/usr/bin/arecord.
References (11)
- https://attack.mitre.org/techniques/T1123/
- https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf
- https://securelist.com/scarcruft-surveils-north-korean-defectors-and-mps/91101/
- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques.pdf
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md
- https://objective-see.org/blog/blog_0x69.html
- https://www.objective-see.com/blog/blog_0x7C.html
- https://www.huntress.com/blog/lightspy-for-macos
- https://learn.microsoft.com/en-us/windows/win32/multimedia/mci-command-strings
- https://learn.microsoft.com/en-us/windows/win32/coreaudio/wasapi
Unlock Pro Content
Get the full detection package for T1123 including response playbook, investigation guide, and atomic red team tests.