title: Audio Capture (T1123) id: df00tech-t1123 status: experimental description: "Adversaries may leverage a computer's peripheral devices (e.g., microphones) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations. Malware or scripts interact with audio devices through OS APIs or application APIs to capture and record audio. Recorded files may be written to disk in staging directories and subsequently exfiltrated. Known malware families using this technique include Flame, ROKRAT, Bandook, VERMIN, TajMahal, Pupy, EvilGrab, LightSpy, Cadelspy, NanoCore, Crimson, MacMa, T9000, and Machete. PowerSploit's Get-MicrophoneAudio module provides an open-source implementation commonly repurposed by attackers." references: - https://attack.mitre.org/techniques/T1123/ - https://df00tech.com/detections/T1123 author: df00tech date: 2026/04/19 tags: - attack.t1123 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: process_creation product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Legitimate audio/video conferencing software (Teams, Zoom, Webex, Discord) loading audio DLLs from non-standard install paths or as part of update processes" - "Media production software (Audacity, Adobe Audition, OBS, DAWs) creating audio files in user-defined output directories that overlap with staging path heuristics" - "Voice recognition software (Dragon NaturallySpeaking, Windows Cortana/Speech services) continuously accessing audio APIs in the background" - "Game software or streaming tools (OBS, XSplit) that capture system audio via DirectSound or WASAPI for game capture" - Podcast or screencasting tools recording audio to AppData as their default output path - Security testing or red team exercises using PowerSploit or atomic-red-team audio test scripts level: high