SigmaHQ/rules/windows/process_creation/win_soundrec_audio_capture.yml

title: Audio Capture via SoundRecorder
id: 83865853-59aa-449e-9600-74b9d89a6d6e
description: Detect attacker collecting audio via SoundRecorder application
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
    - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
tags:
    - attack.collection
    - attack.t1123
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\SoundRecorder.exe'
        CommandLine|contains: '/FILE'
    condition: selection
falsepositives:
    - Legitimate audio capture by legitimate user
level: medium
Added Atomic Blue Detections Repo 2019-10-28 10:59:49 +00:00			`title: Audio Capture via SoundRecorder`
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing. 2019-12-19 22:56:36 +00:00			`id: 83865853-59aa-449e-9600-74b9d89a6d6e`
Update win_soundrec_audio_capture.yml 2019-11-10 22:40:45 +00:00			`description: Detect attacker collecting audio via SoundRecorder application`
Added Atomic Blue Detections Repo 2019-10-28 10:59:49 +00:00			`status: experimental`
Update win_soundrec_audio_capture.yml 2019-11-10 22:40:45 +00:00			`author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community`
Added Atomic Blue Detections Repo 2019-10-28 10:59:49 +00:00			`date: 2019/10/24`
Update win_soundrec_audio_capture.yml 2019-11-10 22:40:45 +00:00			`modified: 2019/11/11`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml`
Update win_soundrec_audio_capture.yml 2019-11-10 22:45:39 +00:00			`- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html`
Added Atomic Blue Detections Repo 2019-10-28 10:59:49 +00:00			`tags:`
			`- attack.collection`
			`- attack.t1123`
OSCD QA wave 3 2020-01-19 21:34:16 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
Added Atomic Blue Detections Repo 2019-10-28 10:59:49 +00:00			`detection:`
			`selection:`
Update win_soundrec_audio_capture.yml 2019-11-10 22:40:45 +00:00			`Image\|endswith: '\SoundRecorder.exe'`
			`CommandLine\|contains: '/FILE'`
Added Atomic Blue Detections Repo 2019-10-28 10:59:49 +00:00			`condition: selection`
			`falsepositives:`
Update win_soundrec_audio_capture.yml 2019-11-10 22:40:45 +00:00			`- Legitimate audio capture by legitimate user`
Added Atomic Blue Detections Repo 2019-10-28 10:59:49 +00:00			`level: medium`