CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
c43624dcb2b8ca3bf82faa8a710ce9ecd703b7c7
hayabusa/rules/sigma/builtin/security/win_camera_microphone_access.yml
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

34 lines
1.0 KiB
YAML
Raw Blame History

title: Processes Accessing the Microphone and Webcam
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/07
description: Potential adversaries accessing the microphone and webcam in an endpoint.
detection:
SELECTION_1:
EventID: 4657
SELECTION_2:
EventID: 4656
SELECTION_3:
EventID: 4663
SELECTION_4:
ObjectName:
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged*'
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
falsepositives:
- Unknown
id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
level: medium
logsource:
product: windows
service: security
modified: 2021/11/27
references:
- https://twitter.com/duzvik/status/1269671601852813320
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
status: test
tags:
- attack.collection
- attack.t1123
Reference in New Issue View Git Blame Copy Permalink