Created
June 7, 2020 19:27
-
-
Save Cyb3rWard0g/2e6ce7148ff979d248e6cf7e27ee4e6c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Processes Accessing the microphone and webcam | |
| id: 29976992-e6d6-4fce-8f9d-e7b9be4efbb6 | |
| status: experimental | |
| description: Potential adversaries accessing the microphone and webcam in an endpoint. | |
| references: | |
| - https://twitter.com/duzvik/status/1269671601852813320 | |
| - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 | |
| author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | |
| date: 2020/06/07 | |
| tags: | |
| - attack.defense_evasion | |
| - attack.t1112 | |
| logsource: | |
| product: windows | |
| service: security | |
| detection: | |
| selection1: | |
| EventID: 4657 | |
| selection2: | |
| ObjectName|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone' | |
| selection3: | |
| ObjectName|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam' | |
| condition: selection1 and (select2 or selection3) | |
| falsepositives: | |
| - Maybe zoom, MS teams. | |
| level: critical |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment