CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/win_camera_microphone_access.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

34 lines
1.2 KiB
YAML
Raw Blame History

title: Processes Accessing the Microphone and Webcam
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/07
description: Potential adversaries accessing the microphone and webcam in an endpoint.
detection:
SELECTION_1:
EventID: 4657
SELECTION_2:
EventID: 4656
SELECTION_3:
EventID: 4663
SELECTION_4:
ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged*'
SELECTION_5:
ObjectName: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5))
falsepositives:
- Unknown
id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
level: medium
logsource:
product: windows
service: security
references:
- https://twitter.com/duzvik/status/1269671601852813320
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
status: experimental
tags:
- attack.collection
- attack.t1123
yml_filename: win_camera_microphone_access.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
Reference in New Issue View Git Blame Copy Permalink